[3583] in WWW Security List Archive
Re: your mail
daemon@ATHENA.MIT.EDU (Michael Brennen)
Tue Nov 19 16:56:14 1996
Date: Tue, 19 Nov 1996 08:44:26 -0600 (CST)
From: Michael Brennen <mbrennen@fni.com>
To: Harris Demel <HARRIS@novell.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <s29090a1.057@novell.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 18 Nov 1996, Harris Demel wrote:
> A user has requested a mechanism which blocks all users from a local
> URL, but allows some specific users to access it. She also requested
> that she have control over the access list. She preferred that the set of
> users allowed access the area not be required to enter a password.
Sounds to me like she wants control over something she doesn't understand.
> I've created a script which enables her to effectively modify an
> '.htaccess' file in the directory which houses her sensitive files. The
> htaccess file denies all, but allows specific machines access (determined
> by IP address). This required me to set the owner of the htaccess file the
> same as the httpd daemon and open up permissions.
>
> The obvious threat is that anyone could run the cgi script and edit the
> htaccess file in that directory, but for that reason, I've htaccess'ed the cgi
> script.
>
> This solution allows easy access list administration, and the users can
> easily access the URL without entering a password.
>
> The question I have is what are the security risks here?
What do you have to lose?
Can someone internally spoof the IP address of a trusted machine? Why
not? Is physical access to the trusted machines controlled? How will you
know if an unauthorized access is made?
In an environment of mutual trust (and the implicit threat of action if
broken) and relatively little to lose this might work. In this
environment you had better be ready to face compromised security, because
if there is anything there worth getting, you don't have enough control in
place to either stop it or trace it when it happens.
Just make sure you inform this user, as well as your and her superiors, in
writing about the risks of doing this. If she wants control of the
monkey, make sure it is on her back.
-- Michael
