Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: htaccess with apache

Re: htaccess with apache

From: António Vasconcelos <vasco_at_all-2-it.com>
Date: Thu, 06 Nov 2003 12:09:43 +0000

Tim Greer wrote:

>On Wed, 2003-11-05 at 05:22, António Vasconcelos wrote:
>
>
>
>
>>It shouldn't...
>>There is no need for nobody/nobody to read /etc/passwd file.
>>
>>
>
>Sure it should. Well, on a server with multiple users, you don't want
>to have everyone run as the global web server user anyway (so just
>denying nobody (How's Apache going to read it when it needs to now, a
>special group, and then what? A lot of hassles)), or you risk users
>smashing other users files that CGI/PHP scripts use/create, etc.
>
>
That's in /etc/groups, not in /etc/passwd (of course that in most
linux'es that whould give away the user list), and you can allways use
group numbers instead of names.

There is a lot of bad programmers arround.
Worst, there is a lot of programmers arround that don't know they are
bad programmers, the traditional buffer overflow in malloc() and
memcpy() or strcpy() shows just that.
Any php/perl programmer in a web environment _should_ know that he must
be very carefull when accessing any kind of file based in info passed
from the net.

Checking, checking and re-checking, it's a way of doing it. However
there is allways someone smarter than you. If you know that then you can
be a good programmer, and know that you cannot only rely on that. So,
the right thing to do is make sure that even if you do something wrong
in your program, the system setup wont let a really bad thing to happen.

>Chrooting Apache would then be best (or in addition to), so you can take
>advantage of the best of both worlds (not to mention resource
>limitations for PHP/CGI per user/vhost).
>
>

That, of course, is the right thing to do.
But you can't forget that any info you give away can (and sometimes
will) be used against you. So, giving away your user list is not a good
idea. 

-- 
António  Vasconcelos
/(Administrador de Sistemas)
ALL2IT-Infocomunicações, SA
Torre de Monsanto, 6º Piso
Miraflores, Algés
PORTUGAL
Telf.: + 351 21 412 39 50
Fax.: + 351 21 410 51 94/
 
*CONFIDENCIAL*: Esta mensagem contém informação confidencial ou material 
privilegiado, e é só intencionada para os seus destinatários. De acordo 
com a lei em vigor, se um erro originou que tenha recebido esta mensagem 
por engano pedimos que, de imediato, notifique o remetente e a apague do 
seu sistema sem a reproduzir.
	*CONFIDENTIAL*: This e-mail contains proprietary information, some or 
all of which may be legally privileged. It is for the intended 
recipients only. According to the law in force, if an addressing or 
transmission error has misdirected this e-mail, please notify the author 
by replying to this e-mail and delete it from your system without 
retaining a copy.
...................................................................................
Scanned OK by ALL-2-IT Anti-Virus Gateway
Received on Nov 06 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos