[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: Re: SSI Vuln on cobalt
- Subject: Re: [cobalt-security] Re: Re: SSI Vuln on cobalt
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Tue, 23 Apr 2002 07:48:53 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Chris,
> Since they own the directory (and have to, to create files), they can
> remove any .htaccess file root creates.
Actually: Who owns a directory doesn't affect the file permissions and file
ownerships of anything within the directory.
How would a user be able to delete the following file?
rw-r--r-- 1 root root 404 Apr 23 07:17 .htacces
Owned by root, permissions set to read only for all but user root and group
root. The user can view the file, but that's it. If you put the file in the
/web directory of the virtual site, then the user can't even delete the
directory and recreate it due to the directory permissions.
Answer: The user *cannot* delete or overwrite this file and that's it. Put in
the proper options and he can't even use .htaccess files in his self created
subdirectories, as the toplevel .htaccess always overrides settings of
.htaccess files in a subdirectory.
FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there
and with a little tweaking of the existing rules in there the entire problem
is solved with ease.
For instance: You can deny usage of any .htaccess files in all directories
except ithose that you explicitly specify in /etc/httpd/conf/access.conf
--
Mit freundlichen Grüßen / With best regards
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer