[1528] in bugtraq
Re: HTTPD bug
daemon@ATHENA.MIT.EDU (Joe Konczal)
Tue Apr 18 19:18:14 1995
Date: Tue, 18 Apr 1995 16:49:53 -0400
From: Joe Konczal <jkonczal@nist.gov>
To: ch11mh@surrey.ac.uk
Cc: baba@beckman.uiuc.edu, bugtraq@fc.net
In-Reply-To: <Pine.HPP.3.90.950417144953.9106B-100000@central.surrey.ac.uk> (message from Mr Martin J Hargreaves on Mon, 17 Apr 1995 14:58:42 +0100 (BST))
Martin J Hargreaves <ch11mh@surrey.ac.uk> writes:
> Unfortunately just running as 'nobody' is not enough, you have
> to either disallow the following of symlinks in user
> directories (which is a good idea anyway), choose which users
> can have symlinks and have a more complex access list (this is
> NCSA httpd, I don't know about the CERN version), or lastly
> just allow any user to give the network read access to your
> system (may be option for those in a secure environment or who
> trust all the users on the system).
Aren't there plenty of other ways an untrusted user could distribute
"other" readable files, like e-mail, news, a reference in his home
page to another httpd on a high numbered port, printouts stapled to
telephone poles, etc. Would you sleep better at night knowing that
your untrusted users might be distributing your password file or any
other files they can read without making the httpd follow symbolic
links?
--
Joseph C. Konczal <konczal@csmes.ncsl.nist.gov>
National Institute of Standards and Technology
Tech. A62, Gaithersburg, MD 20899 USA
(301) 975-3285
NIST Computer Security Resource Clearinghouse - http://csrc.ncsl.nist.gov
