[211] in linux-security and linux-alert archive
httpd problem - summary of replies
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Apr 17 16:00:34 1995
From: okir@monad.swb.de (Olaf Kirch)
To: linux-security@tarsier.cv.nrao.edu
Date: Mon, 17 Apr 1995 20:15:50 +0200 (MET DST)
Hello,
Yesterday's post referring to the httpd problem prompted about half a dozen
of replies pointing out that this hole is basically a configuration
problem. Instead of posting all of them, I think it might be better to
summarize them. Any errors or omissions in this posting are my fault, not
those of the original posters, which were:
Leonard N. Zubkoff <lnz@dandelion.com>
Avery Pennarun <apenwarr@tourism.807-city.on.ca>
Jon Lewis <jlewis@inorganic5.chem.ufl.edu>
Mr Martin J Hargreaves <ch11mh@surrey.ac.uk>
Perry F Nguyen <pfnguyen@viet.viet.com>
Peter Drier <drierp2@petee.stu.rpi.edu>
shields@tembel.org (Michael Shields)
Darren Reed <avalon@coombs.anu.edu.au>
By default, CERN httpd changes its uid and gid to nobody/nogroup after
setting up the TCP port, so it's impossible to access files you're not
supposed to. uid and gid can be set explicitly in the httpd.conf file using
the UserId and GroupId attributes.
Almost exactly the same applies to NCSA httpd. If you use the configuration
files distributed with the source, it will also run as user nobody, group
-1. These values can be changed by setting the User and Group attributes in
httpd.conf.
With this setup, malicious users on your system could still create a
symlink to let anyone access world-readable files on your system
(although it's a clumsy way of making data available to the outside
world). Jon Lewis (jlewis@inorganic5.chem.ufl.edu) pointed out that
NCSA lets you plug this hole by specifying this in your access.conf
file:
<Directory /home>
Options Indexes
</Directory>
Darren Reed pointed to a paper (draft?) he wrote about httpd and security;
it can be gotten from http://www.arbld.unimelb.edu.au/~darrenr/httpd.ps.
Regards
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
