Home page logo

bugtraq logo Bugtraq mailing list archives

Re: HTTPD bug
From: carson () lehman com (carson () lehman com)
Date: Mon, 17 Apr 1995 13:18:08 -0400

"Martin" == Martin J Hargreaves <ch11mh () surrey ac uk> writes:

Martin>         I don't think this has been brought up on bugtraq yet, if it
Martin> has sorry. This is from Linux-security, posted by "Mr Pink
Martin> (vince () dallas demon co uk) apologies to Mr. Pink for my instant
Martin> repost.

Martin> On Sun, 16 Apr 1995, Mr Pink wrote:

It allows you to create a directory in a users home dir that can be
accessed via mosaic/netscape.  well the bad bit of news is, if you sym
link this dir to root (/), file ownership becomes non existent.

i was easily able to read the shadow passwd file!

The easy fix is to run the daemon as nobody (which is what I do).
chroot'ing will also take care of this sort of problem.

Carson Gaspar -- carson () cs columbia edu carson () lehman com
<This is the boring business .sig - no outre sayings here>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]