Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 56900 invoked from network); 15 May 2008 13:52:37 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 15 May 2008 13:52:37 -0000 Received: (qmail 21603 invoked by uid 500); 15 May 2008 13:52:26 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 21581 invoked by uid 500); 15 May 2008 13:52:26 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 21547 invoked by uid 99); 15 May 2008 13:52:26 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 May 2008 06:52:26 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jslive@gmail.com designates 74.125.46.152 as permitted sender) Received: from [74.125.46.152] (HELO yw-out-1718.google.com) (74.125.46.152) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 May 2008 13:51:40 +0000 Received: by yw-out-1718.google.com with SMTP id 6so211764ywa.84 for ; Thu, 15 May 2008 06:51:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=Vk10RN4jnVhOGDNJUV8zVWDDD3rtbQ1gSU5fZpfy1IM=; b=LwOuFGIxqW/aIZ9p1vDhhTbqpqO59GZQ4xM2NSDYvM8FE43Xhi0q7Qmi4oitVNK4e0+vhnWyjQUGcU9D+FuBqono39zPhRt3+pYK1RyIt01o552tRE5+Xkzw+ANK5HUI0Wsd1L7Ew2owEJsVdwK2fkiMxrXi7yJk9yCmsCr4NhA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=b9XP4lywgT8PNIo0aHoTZv7em+H3FKRB3J8pIUVuDLdpD5/bfZXvzsYdEGZbyrN0wimtRJPD5Ha0flxt4vZfUrb9Go+yCvBUPOuIebuqhPay38GEkmam5mwzAfrJ0OkClUMJYgn+pw8PYqAYCmy//megvvVHncaMDy1nal3amPM= Received: by 10.150.73.41 with SMTP id v41mr2231576yba.185.1210859515036; Thu, 15 May 2008 06:51:55 -0700 (PDT) Received: by 10.150.198.4 with HTTP; Thu, 15 May 2008 06:51:54 -0700 (PDT) Message-ID: Date: Thu, 15 May 2008 09:51:54 -0400 From: "Joshua Slive" Sender: jslive@gmail.com To: users@httpd.apache.org In-Reply-To: <005701c8b65e$67db8580$f81310ac@nmm.local> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <1210795669.58200.ezmlm@httpd.apache.org> <005701c8b65e$67db8580$f81310ac@nmm.local> X-Google-Sender-Auth: c8c6a5242b4a6720 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Re: Apache Security Problem On Thu, May 15, 2008 at 3:36 AM, Andre H=FCbner wrot= e: > > sorry, I think i verbalized not clear enough. ;) > essence is following: The way of creating a symlink is irrelavant. In Mo= st > cases this is a script, but symlink is also creatable by just unpacking a > archive with symlinks that points to other users files. > Symlinks are very flexible and can even point to itself. A symbolic Link = in > Filesystem is always created even if target has to less permissions or is > not existent. In this cases the link is just dead for the cgi-user that > created it. But Link is not dead for apache user. If we think that other > file is readable for apache cause is part of website than apache serves > content of other users file. Apache seems in this case just to check if > source and target of symlink is readable for apacheuser and serves file i= f > is so. I can decrease chmod of targetfile but if it also should be server= ed > by apache the group of the file have to be apchegroup and we have the cas= e > that ist still readable. > I cannot stop creating symlinks by script or other ways. I could activate > SymLinksIfOwnerMatch but user could change this with own .htaccess cause = i > grant AllowOverride All in httpd.conf > Decreasing of AllowOverride Level to remove Options-Group is realy big st= ep > cause it would remove also further helpful things > http://httpd.apache.org/docs/2.2/en/mod/core.html#options > Hmm, best way would be to activate SymLinksIfOwnerMatch without removing > whole Options Directive. > > Now i have: > > > AllowOverride FileInfo AuthConfig Limit Indexes > Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch > > > and symlinks to other users files are not permitted. But on the other han= d > every .htaccess which uses Options, php_flag, php_value directive (may be > more) runs into 500 Error :( You can do restrictions of particular options using the technique shown her= e: http://httpd.apache.org/docs/2.2/howto/htaccess.html#how But I have a feeling that there are other ways around your separation. It depends on exactly the details of how you are running your scripts. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org