[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Re: Re: SSI Vuln on cobalt
- Subject: [cobalt-security] Re: Re: Re: SSI Vuln on cobalt
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Tue, 23 Apr 2002 10:09:24 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Once upon a time, Michael Stauber <cobalt@xxxxxxxxxxxxxx> said:
> > Since they own the directory (and have to, to create files), they can
> > remove any .htaccess file root creates.
>
> Actually: Who owns a directory doesn't affect the file permissions and file
> ownerships of anything within the directory.
Actually, you are wrong. It does affect who can create and remove files
in that directory.
> How would a user be able to delete the following file?
>
> rw-r--r-- 1 root root 404 Apr 23 07:17 .htacces
If the user is allowed to create and remove files in that directory
(which you want them to be able to do, or else they can't upload a web
site), they can remove _any_ file in that directory, no matter who owns
the file.
> Owned by root, permissions set to read only for all but user root and group
> root. The user can view the file, but that's it. If you put the file in the
> /web directory of the virtual site, then the user can't even delete the
> directory and recreate it due to the directory permissions.
>
> Answer: The user *cannot* delete or overwrite this file and that's it. Put in
> the proper options and he can't even use .htaccess files in his self created
> subdirectories, as the toplevel .htaccess always overrides settings of
> .htaccess files in a subdirectory.
Hint: try what you are saying. Create a new site, log in as root and
create a .htaccess file, then log in as a site admin and try to delete
it. Then come back here and report the results.
Also, I don't think what you are saying about .htaccess files in
subdirectories is true. The critical directive here is "AllowOveride",
and that is not allowed in a .htaccess file (so you can't take away the
permission to override things in a .htaccess file). I have had sites
where one .htaccess file takes away some access, but one in a
subdirectory gives some access back. It is tricky to configure (and
keep track of), but it can be done.
> FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there
> and with a little tweaking of the existing rules in there the entire problem
> is solved with ease.
But if you do that, you'll break other things (especially FrontPage).
> For instance: You can deny usage of any .htaccess files in all directories
> except ithose that you explicitly specify in /etc/httpd/conf/access.conf
I don't think so. You can control what is allowed in a .htaccess file
on a per-directory basis, but not whether .htaccess files are examined
or not. If you want to edit files in /etc/httpd/conf every time you
need to change the settings of a site, then why did you buy a RaQ
anyway?
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.