[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] RE: SSI Vuln on cobalt

Subject: Re: [cobalt-security] RE: SSI Vuln on cobalt
From: Larry Smith <lesmith@xxxxxxxxx>
Date: Mon, 22 Apr 2002 13:59:33 -0500
Organization: ECSIS.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Monday 22 April 2002 11:18 am, Jeff Lasman wrote:
> Easy way, as I mentioned in an earlier reply, install a root-owned
> .htaccess file in the /web folder.  Then your site-admin won't be able
> to upload one.

Jeff,

  This is partially true.  The "owner" of the directory space can "remove" 
(and henceforth replace) any file that is "within" their directory space.  So 
putting the .htaccess under the /web owned by the "admin" for example 
"site20" means that the admin for site20 can remove that file and then 
replace it with their own.  

  Adminitedly more difficult, but possible.  The only way to stop this is to 
use chattr and change the attributes for the file to non-deletable (which 
means even root cannot delete it without changing the secondary attributes 
first).

Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx

References:
- Re: [cobalt-security] RE: SSI Vuln on cobalt
  - From: Brett Wright
- Re: [cobalt-security] RE: SSI Vuln on cobalt
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-security] RE: SSI Vuln on cobalt
Next by Date: [cobalt-security] Re: RE: SSI Vuln on cobalt
Previous by thread: Re: [cobalt-security] RE: SSI Vuln on cobalt
Next by thread: [cobalt-security] Re: RE: SSI Vuln on cobalt

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index