Re: [cobalt-security] Re: Re: SSI Vuln on cobalt

[Paul Jacobs <paul@xxxxxxxxxxxxxxxxxx>]

At 10:48 PM 4/22/2002, you wrote:
> Hi Chris,
>
> > Since they own the directory (and have to, to create files), they can
> > remove any .htaccess file root creates.
>
> Actually: Who owns a directory doesn't affect the file permissions and file
> ownerships of anything within the directory.
>
> How would a user be able to delete the following file?
>
> rw-r--r--   1 root     root         404 Apr 23 07:17 .htacces
>
> Owned by root, permissions set to read only for all but user root and group
> root. The user can view the file, but that's it. If you put the file in the
> /web directory of the virtual site, then the user can't even delete the
> directory and recreate it due to the directory permissions.
>
> Answer: The user *cannot* delete or overwrite this file and that's it. Put in
> the proper options and he can't even use .htaccess files in his self created
> subdirectories, as the toplevel .htaccess always overrides settings of
> .htaccess files in a subdirectory.
>
> FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there
> and with a little tweaking of the existing rules in there the entire problem
> is solved with ease.

You know I have changed the above file a few times, and some how the RAQ 
allways changes it back from a saved file some where.



> For instance: You can deny usage of any .htaccess files in all directories
> except ithose that you explicitly specify in /etc/httpd/conf/access.conf
>
> --
>
> Mit freundlichen Grüßen / With best regards
>
> Michael Stauber
> mstauber@xxxxxxxxxxxxxx
> Unix/Linux Support Engineer
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

Paul Jacobs /Senior Network Eng.
Yourwebcentral.com
"Host ANY website "
http://www.yourwebcentral.com
mailto:paul@xxxxxxxxxxxxxxxxxx