Home page logo
/

basics logo Security Basics mailing list archives

Re: some permission problem?
From: "SB CH" <chulmin2 () hotmail com>
Date: Fri, 09 May 2003 12:57:02 +0000

Thanks again for all your kind answer.

But there is another way like some other user's file include /etc/passwd, like dbconn.inc which contains a username and password of the db(like mysql. oracle...) in web hosting server.

As a matter of fact, anyone can read these files easily using fileopen() like perl or php function by web. Is there any method against this attack?


Thanks again.





----- Original Message -----
From: "SB CH" <chulmin2 () hotmail com>
To: <security-basics () securityfocus com>
Sent: Tuesday, May 06, 2003 12:29 AM
Subject: some permission problem?


> Hello, all.
>
> I found that some malicious man browsed /etc/passwd file by httpd.
> So I would like to block to see /etc/passwd file by nobody(http user)
> permission.
> but as you know, any shell logging users should have read permission.
>
> So, is there any method to enable this?
>
> I think that only one method that all users are some group member except
> nobody. and only group members can  read the /etc/passwd file, right?
> but this work is so so hard at my system.
>
> Also, I saw that some commercial host baed ips can do this.
>
> any patch is available?
>
>
> Thanks in advance and sorry for poor english.
>
>
> _________________________________________________________________
> 책상위에 다리 올리고 느긋하게 즐긴다... MSN 온라인 상영관
> http://vod.msn.co.kr
>
>
> --------------------------------------------------------------------------
-
> FastTrain has your solution for a great CISSP Boot Camp. The industry's
most
> recognized corporate security certification track, provides a
comprehensive
> prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
utilization
> of pertinent security tools. For a limited time you can enter for a chance
> to win one of the latest technological innovations, the SEGWAY HT.
> Log onto http://www.securityfocus.com/FastTrain-security-basics
> --------------------------------------------------------------------------
--
>


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------

_________________________________________________________________
고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브 http://www.msn.co.kr/love/

---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]