[1094] in WWW Security List Archive
Re: Unix links subverting Web security
daemon@ATHENA.MIT.EDU (Rick Smith)
Fri Oct 27 20:53:52 1995
Date: Fri, 27 Oct 1995 16:59:03 -0500
From: Rick Smith <smith@sctc.com>
To: www-security@ns2.rutgers.edu
Cc: smith@sctc.com
Errors-To: owner-www-security@ns2.rutgers.edu
David Miller <isdmill@gatekeeper.ddp.state.me.us> writes:
>There are two issues here. One is whether you trust your users in some
>fashion not to do stupid|dangerous things. For example, there's not much
>difference between creating a link like this and posting the passwd file
>to alt.test or alt.2600.
In a technical sense the acts may be equivalent, but they require a
different sequence of actions. Security depends on people not doing
obviously bad things. Good security also makes it difficult to do
things where accidents or carelessness lead to disaster.
Goofing up with web links could happen accidentally. The specific case
of linking /etc/passwd to one's web page seems unlikely to happen
accidentally, but there may be other sensitive files that become
accidentally visible through a link under a public_html directory.
Our web server (hosted on a Sidewinder) allows people to link personal
files in to personal web pages using public_html. We then use Type
Enforcement, a separate security mechanism, to block access to files
by the web server, except for types of files it explicitly should be
able to read. If a user accidentally inserts a link to a security
critical file, the web server's access to the file will be blocked.
This is even true if the web server gets overrun (i.e. using a variant
of the NCSA httpd overrun attack) since the Type Enforcement access
restrictions are applied even to "root" accesses.
>After users, the server is an issue. Within Unix a "chroot" can be done
>so that links like you created go nowhere because root is really
>/var/www. ...
>Most of the servers can be setup this way. In fact, other demons like
>FTP have been running chrooted for years.
It probably depends on the version of Unix you use. One of the people
here showed me three examples of ways to break out of chroot. It's not
the same as using an access control mechanism designed from scratch to
isolate processes and associated data from one another. This is where
the old Orange Book multilevel security concepts are starting to creep
into commercial computer security requirements.
Rick.
smith@sctc.com secure computing corporation
