[1514] in bugtraq
Re: HTTPD bug
daemon@ATHENA.MIT.EDU (carson@lehman.com)
Mon Apr 17 19:33:08 1995
From: carson@lehman.com
Date: Mon, 17 Apr 1995 13:18:08 -0400
To: Mr Martin J Hargreaves <ch11mh@surrey.ac.uk>
Cc: Mr Pink <vince@dallas.demon.co.uk>, linux-security@tarsier.cv.nrao.edu,
bugtraq@fc.net
In-Reply-To: <Pine.HPP.3.90.950416151608.29632B-100000@central.surrey.ac.uk>
Reply-To: carson@lehman.com
>>>>> "Martin" == Martin J Hargreaves <ch11mh@surrey.ac.uk> writes:
Martin> I don't think this has been brought up on bugtraq yet, if it
Martin> has sorry. This is from Linux-security, posted by "Mr Pink
Martin> (vince@dallas.demon.co.uk) apologies to Mr. Pink for my instant
Martin> repost.
Martin> On Sun, 16 Apr 1995, Mr Pink wrote:
>> It allows you to create a directory in a users home dir that can be
>> accessed via mosaic/netscape. well the bad bit of news is, if you sym
>> link this dir to root (/), file ownership becomes non existent.
>>
>> i was easily able to read the shadow passwd file!
The easy fix is to run the daemon as nobody (which is what I do).
chroot'ing will also take care of this sort of problem.
--
Carson Gaspar -- carson@cs.columbia.edu carson@lehman.com
<This is the boring business .sig - no outre sayings here>
