[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] suggestion: chmod the files

Subject: RE: [cobalt-security] suggestion: chmod the files
From: Matthias Pigulla <mp@xxxxxxxxxxxxx>
Date: Sun, 24 Sep 2000 23:44:42 +0200

I have addressed this issue several times, also in context with the RaQs and
PHP, please see the "php and raq2" thread, too.

Last time I had an idea what could be done; unfortunately, I got no replies
on it though I posted it two times. It would be nice if you could drop a few
lines what you think about the following... does it fix the problem?

> -----Original Message-----
> From: Matthias Pigulla 
> Sent: Saturday, August 26, 2000 12:39 PM

> OK, I've been a bit off topic by now. Concerning our issue: What about
> setting the /home/siteX directories to httpd:siteX, chmod 
> 2750, and all
> files below them to [user]:siteX and either 640/750 or 
> 644/755 if they have
> to be httpd readable?
> 
> I think this would block "foreign" users from entering other 
> customers (yeah,
> sites = customers :) directories. The http daemon could get 
> the directories
> for he owns them and does not need to be siteX group member.
> The siteX's are granted access by the siteX group they belong to.
> Admin would have to be part of all site groups, and he already is.
> 
> I'm not sure wheter this would open another hole - you MUST 
> make sure that
> NOBODY (at least no untrusted user) is able to run processes 
> as http, or he
> could take over the whole site directory. So you must wrap all CGI
> processes, run PHP as wrapped CGI (performance :-() ...

Best regards,
Matthias
--

 w e b f a c t o r y   G m b H
   Matthias Pigulla <mp@xxxxxxxxxxxxx> - Geschaeftsfuehrer
   Lessingstr. 60 - D-53113 Bonn - Germany - www.webfactory.de
   Fon +49(0)228-9114455 - Fax +49(0)228-9114499 - ICQ 6394233

> -----Original Message-----
> From: Florian Effenberger [mailto:florian.effenberger@xxxxxxxxxxxxx]
> Sent: Freitag, 15. September 2000 19:14
> To: cobalt-users@xxxxxxxxxxxxxxx; cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] suggestion: chmod the files
> 
> 
> Hello,
> 
> and another one :)
> 
> I only give one very trusted customer Telnet access, but this user can
> see too much in my opinion. He can lis /home/sites and therefore see
> the URLs of our clients.
> 
> Is it possible that you release a patch so /home/sites (and other
> directories!) can be listed only as root?
> 
> Thanks a lot,
> Florian
> 
> 
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

Prev by Date: Re: [cobalt-security] Unable to turn off Finger and NFS
Next by Date: Re: [cobalt-security] Unable to turn off Finger and NFS
Previous by thread: RE: [cobalt-security] suggestion: chmod the files
Next by thread: [cobalt-security] denying access

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index