[3578] in WWW Security List Archive
No subject found in mail header
daemon@ATHENA.MIT.EDU (Harris Demel)
Mon Nov 18 21:51:24 1996
Date: Mon, 18 Nov 1996 16:35:41 -0700
From: Harris Demel <HARRIS@novell.com>
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
All -
I wanted to bounce an interesting / risky situation off of a group of
intelligent people...
A user has requested a mechanism which blocks all users from a local
URL, but allows some specific users to access it. She also requested
that she have control over the access list. She preferred that the set of
users allowed access the area not be required to enter a password.
I've created a script which enables her to effectively modify an
'.htaccess' file in the directory which houses her sensitive files. The
htaccess file denies all, but allows specific machines access (determined
by IP address). This required me to set the owner of the htaccess file the
same as the httpd daemon and open up permissions.
The obvious threat is that anyone could run the cgi script and edit the
htaccess file in that directory, but for that reason, I've htaccess'ed the cgi
script.
This solution allows easy access list administration, and the users can
easily access the URL without entering a password.
The question I have is what are the security risks here?
Notes:
- This URL is for our Intranet only
- The home directory for the web server ID is /dev/null
- The default shell for the web server process is /bin/false
Productive feedback / suggestions would be appreciated.
TIA,
- Harris Demel
Novell, Inc. InnerWeb Webmaster
