[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] RE: SSI Vuln on cobalt
- Subject: Re: [cobalt-security] RE: SSI Vuln on cobalt
- From: Larry Smith <lesmith@xxxxxxxxx>
- Date: Mon, 22 Apr 2002 13:59:33 -0500
- Organization: ECSIS.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On Monday 22 April 2002 11:18 am, Jeff Lasman wrote:
> Easy way, as I mentioned in an earlier reply, install a root-owned
> .htaccess file in the /web folder. Then your site-admin won't be able
> to upload one.
Jeff,
This is partially true. The "owner" of the directory space can "remove"
(and henceforth replace) any file that is "within" their directory space. So
putting the .htaccess under the /web owned by the "admin" for example
"site20" means that the admin for site20 can remove that file and then
replace it with their own.
Adminitedly more difficult, but possible. The only way to stop this is to
use chattr and change the attributes for the file to non-deletable (which
means even root cannot delete it without changing the secondary attributes
first).
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx