Vulnerability Development mailing list archives
Re: apache + .htpasswd - bypass pwd check
From: Jedi/Sector One <j () pureftpd org>
Date: Fri, 26 Apr 2002 23:15:52 +0159
On Fri, Apr 26, 2002 at 02:07:05PM -0700, RSnake wrote:
cd ~john
I don't have to know where it is.
Unless your users have shell access, there's no reason to have anything but a 'nobody' account in your /etc/passwd & co files. If you need entries for suexec to work, have fake ones, with no password, no shell and /dev/null as a home directory. The only thing Apache+suexec needs is to map uids to some user name. The real path to web pages of every virtual host is located in httpd.conf's DocumentRoot directives. System accounts don't have to match.
Chrooted jails are the only way to go.
Indeed. Zeus has an handy feature to do this out of the box. -- __ /*- Frank DENIS (Jedi/Sector One) <j () 42-Networks Com> -*\ __ \ '/ <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a> \' / \/ <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a> \/
Current thread:
- apache + .htpasswd - bypass pwd check Hallberg Tom (Apr 25)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)
- RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd chec Jonas (Apr 28)
- RE: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jose Nazario (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- Re: apache + .htpasswd - bypass pwd check RSnake (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- Re: apache + .htpasswd - bypass pwd check Sten (Apr 28)
- Re: apache + .htpasswd - bypass pwd check Jedi/Sector One (Apr 26)
- RE: apache + .htpasswd - bypass pwd check Golden_Eternity (Apr 26)