[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Re: Re: Re: Re: SSI Vuln on cobalt
- Subject: [cobalt-security] Re: Re: Re: Re: SSI Vuln on cobalt
- From: Chris Adams <cmadams@xxxxxxxxxx>
- Date: Thu, 25 Apr 2002 05:17:42 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Once upon a time, Jeff Lasman <jblists@xxxxxxxxxxxxx> said:
> Deleting a file is done by simply writing to another file, in this case
> the file that's logically the directory. If you can write to the
> directory, yes you can delete the file.
Yup.
> BUT... I forgot completely when I made the post that said you could
> protect yourself that way.
>
> Sometimes things that are logical, and correct, are still
> contra-intuitive. So we forget them <frown>.
:-)
> How about the chattr attribute someone mentioned? I just got back from
> Internet World 2000, and I'm too tired to do the lookup now...
chattr is root only I believe. You could also create a directory called
.htaccess (to remove a directory, you must have write permission on both
it _and_ its parent), but I think Apache would barf on that.
However, like I said, I really do think this is a moot point, because I
think that anything you can put in one .htaccess file can be overriden
by a .htaccess file in a subdirectory. You could play a never-ending
game of tag trying to follow a users' subdirectory creation.
--
Chris Adams <cmadams@xxxxxxxxxx>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.