[1519] in bugtraq
Re: HTTPD bug
daemon@ATHENA.MIT.EDU (Mr Martin J Hargreaves)
Tue Apr 18 14:51:22 1995
Date: Mon, 17 Apr 1995 14:58:42 +0100 (BST)
From: Mr Martin J Hargreaves <ch11mh@surrey.ac.uk>
To: Baba Z Buehler <baba@beckman.uiuc.edu>
Cc: bugtraq@fc.net
In-Reply-To: <199504171325.AA04134@flowbee.beckman.uiuc.edu>
On Mon, 17 Apr 1995, Baba Z Buehler wrote:
>
> the httpd process will read files with the permissions of the user it is
> running as. if you run your httpd as root, then you've got a problem.
So it's OK for the rest of the net to read any files a
non-privileged user can read ?
> run httpd as user 'nobody' or some such, and you won't have this problem.
Except in the scenario Mr Pink described, if they had not had shadow
passwords but /etc/passwd mode 644 then of course 'nobody' _could_ read
that, as well as every other file on the system that is world-readable.
Unfortunately just running as 'nobody' is not enough, you have to
either disallow the following of symlinks in user directories (which is a
good idea anyway), choose which users can have symlinks and have a more
complex access list (this is NCSA httpd, I don't know about the CERN
version), or lastly just allow any user to give the network read access
to your system (may be option for those in a secure environment or who
trust all the users on the system).
Regards,
Martin.
----------------------------------------------------------------
| Martin Hargreaves, ch11mh@surrey.ac.uk|
| Undergraduate Computational Chemist |
| WWW Server Admin http://www.chem.surrey.ac.uk|
----------------------------------------------------------------
