[3584] in WWW Security List Archive
Re: your mail
daemon@ATHENA.MIT.EDU (Adam Shostack)
Tue Nov 19 16:59:48 1996
From: Adam Shostack <adam@homeport.org>
In-Reply-To: <s29090a1.057@novell.com> from Harris Demel at "Nov 18, 96 04:35:41 pm"
To: HARRIS@novell.com (Harris Demel)
Date: Tue, 19 Nov 1996 12:36:50 -0500 (EST)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Is IP security enough? IP is easily spoofable. What happens if the
user/your script makes a mistake in .htaccess? Does your server fail
safe?
The questions really boil down to the sensitivity of the data. My
usual rule of thumb is, if you don't want everyone to see it, require
access control & encrypion. IP security is really not strong at all,
and anyone on the net who cares to look can probably get your data.
(Modulo whatever firewalls Novell has to protect its internal nets.)
Adam
Harris Demel wrote:
| All -
|
| I wanted to bounce an interesting / risky situation off of a group of
| intelligent people...
|
| A user has requested a mechanism which blocks all users from a local
| URL, but allows some specific users to access it. She also requested
| that she have control over the access list. She preferred that the set of
| users allowed access the area not be required to enter a password.
|
| I've created a script which enables her to effectively modify an
| '.htaccess' file in the directory which houses her sensitive files. The
| htaccess file denies all, but allows specific machines access (determined
| by IP address). This required me to set the owner of the htaccess file the
| same as the httpd daemon and open up permissions.
|
| The obvious threat is that anyone could run the cgi script and edit the
| htaccess file in that directory, but for that reason, I've htaccess'ed the cgi
| script.
|
| This solution allows easy access list administration, and the users can
| easily access the URL without entering a password.
|
| The question I have is what are the security risks here?
|
| Notes:
| - This URL is for our Intranet only
| - The home directory for the web server ID is /dev/null
| - The default shell for the web server process is /bin/false
|
| Productive feedback / suggestions would be appreciated.
|
| TIA,
|
| - Harris Demel
| Novell, Inc. InnerWeb Webmaster
|
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
