[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Re: Re: SSI Vuln on cobalt
- Subject: Re: [cobalt-security] Re: Re: SSI Vuln on cobalt
- From: "Mike Palamar" <mike@xxxxxxxxxx>
- Date: Tue, 23 Apr 2002 09:08:31 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Would this directive work in the access.cong file:
<Directory /home/sites>
Options IncludesNOEXEC
</Directory>
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
AllowOverride All ****Change this to whatever you want ****
It doesn't allow people to execute commands via SSI (blocks CGI page
counters too) but it allows sites to include text files for easy site
development.
-Mike
> > > For exmaple, if we create a root-owned .htaccess file, then site
admins
> > > can't easily install their own.
> >
> > Since they own the directory (and have to, to create files), they can
> > remove any .htaccess file root creates.
>
> I concede the point that if people are smart enough to know that there's
> an invisible .htaccess file owned by root in their upload directory they
> can delete it.