[cobalt-security] Re: Re: Re: SSI Vuln on cobalt

[Chris Adams <cmadams@xxxxxxxxxx>]

Once upon a time, Michael Stauber <cobalt@xxxxxxxxxxxxxx> said:
> > Since they own the directory (and have to, to create files), they can
> > remove any .htaccess file root creates.
> 
> Actually: Who owns a directory doesn't affect the file permissions and file 
> ownerships of anything within the directory.

Actually, you are wrong.  It does affect who can create and remove files
in that directory.

> How would a user be able to delete the following file?
> 
> rw-r--r--   1 root     root         404 Apr 23 07:17 .htacces

If the user is allowed to create and remove files in that directory
(which you want them to be able to do, or else they can't upload a web
site), they can remove _any_ file in that directory, no matter who owns
the file.

> Owned by root, permissions set to read only for all but user root and group 
> root. The user can view the file, but that's it. If you put the file in the 
> /web directory of the virtual site, then the user can't even delete the 
> directory and recreate it due to the directory permissions.
> 
> Answer: The user *cannot* delete or overwrite this file and that's it. Put in 
> the proper options and he can't even use .htaccess files in his self created 
> subdirectories, as the toplevel .htaccess always overrides settings of 
> .htaccess files in a subdirectory.

Hint: try what you are saying.  Create a new site, log in as root and
create a .htaccess file, then log in as a site admin and try to delete
it.  Then come back here and report the results.

Also, I don't think what you are saying about .htaccess files in
subdirectories is true.  The critical directive here is "AllowOveride",
and that is not allowed in a .htaccess file (so you can't take away the
permission to override things in a .htaccess file).  I have had sites
where one .htaccess file takes away some access, but one in a
subdirectory gives some access back.  It is tricky to configure (and
keep track of), but it can be done.

> FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there 
> and with a little tweaking of the existing rules in there the entire problem 
> is solved with ease.

But if you do that, you'll break other things (especially FrontPage).

> For instance: You can deny usage of any .htaccess files in all directories 
> except ithose that you explicitly specify in /etc/httpd/conf/access.conf

I don't think so.  You can control what is allowed in a .htaccess file
on a per-directory basis, but not whether .htaccess files are examined
or not.  If you want to edit files in /etc/httpd/conf every time you
need to change the settings of a site, then why did you buy a RaQ
anyway?

-- 
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.