[2157] in NetBSD-Development
Re: lots of mail generated by master.passwd file
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sat Dec 1 13:56:56 2001
Date: Sat, 1 Dec 2001 13:48:53 -0500
From: John Hawkinson <jhawk@MIT.EDU>
To: Angie Kelic <sly@MIT.EDU>
Cc: netbsd-dev@MIT.EDU, security-internal@MIT.EDU, webmaster@MIT.EDU,
web-request@MIT.EDU
Message-ID: <20011201134853.G14106@multics.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200112011831.NAA11270@cutter-john.mit.edu>
Angie Kelic <sly@MIT.EDU> wrote on Sat, 1 Dec 2001
at 13:31:03 -0500 in <200112011831.NAA11270@cutter-john.mit.edu>:
> The lists net-security, webmaster, and web-request (and likely others)
> have all been receiving large quantities of mail of the form listed
> below, due to a search command that was posted on bugtraq that turns
> up the master.passwd file
>
> http://www.mit.edu/afs/sipb/system/config/passwd/i386_nbsd1/master.passwd
>
> Can someone either put a note in big letters in the file telling peopel
> it's not a security risk or acl it so that every person that reads
> bugtraq and bothers to try these things or gets a forward stops sending
> us mail?
I've added .htaccess{,.mit} files to prevent this from being so annoying:
--- /dev/null Sat Dec 1 13:44:47 2001
+++ .htaccess Sat Dec 1 13:40:07 2001
@@ -0,0 +1,6 @@
+<Files master.passwd>
+ ErrorDocument 403 "403 Forbidden. Sorry, we got too much junk mail from people complaining that this was a security hole (it's not).
+ <Limit GET>
+ Deny from all
+ </Limit>
+</Files>
--- /dev/null Sat Dec 1 13:44:47 2001
+++ .htaccess.mit Sat Dec 1 13:42:53 2001
@@ -0,0 +1,5 @@
+<Files master.passwd>
+ <Limit GET>
+ Require valid-user
+ </Limit>
+</Files>
Hey, web-request: it doesn't matter, but is there some reason why
"Deny from all" doesn't work in .htaccess.mit files? Is there some
other way to get the same effect? (similar question for ErrorDocument).
--jhawk
