Home page logo

bugtraq logo Bugtraq mailing list archives

Re: HTTPD bug
From: jkonczal () nist gov (Joe Konczal)
Date: Tue, 18 Apr 1995 16:49:53 -0400

Martin J Hargreaves <ch11mh () surrey ac uk> writes:

      Unfortunately just running as 'nobody' is not enough, you have
to either disallow the following of symlinks in user
directories (which is a good idea anyway), choose which users
can have symlinks and have a more complex access list (this is
NCSA httpd, I don't know about the CERN version), or lastly
just allow any user to give the network read access to your
system (may be option for those in a secure environment or who
trust all the users on the system).

Aren't there plenty of other ways an untrusted user could distribute
"other" readable files, like e-mail, news, a reference in his home
page to another httpd on a high numbered port, printouts stapled to
telephone poles, etc.  Would you sleep better at night knowing that
your untrusted users might be distributing your password file or any
other files they can read without making the httpd follow symbolic

Joseph C. Konczal  <konczal () csmes ncsl nist gov>             
National Institute of Standards and Technology
Tech. A62, Gaithersburg, MD  20899  USA
(301) 975-3285

NIST Computer Security Resource Clearinghouse - http://csrc.ncsl.nist.gov

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]