[2200] in bugtraq
httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
daemon@ATHENA.MIT.EDU (Martin Hargreaves)
Mon Sep 4 14:54:40 1995
Date: Sat, 2 Sep 1995 14:37:17 +0100
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Martin Hargreaves <martinh@paston.co.uk>
X-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Panzer (panzer@dhp.com) wrote:
>OB BugTraq, does a user making a "~/public_html/root_dir -> /" link do
>what you think it does on your web server? Maybe this isn't a hot
>idea... Even worse if you nfs mount users pages via a web server that
>does other tasks also...
I think this list went through over this problem a few months ago, the
consensus being that if you don't trust your users then this is one of many
ways that they can compromise your system. I believe that with NCSA httpd
(at least on 1.3) that you need
<Directory /*/public_html*>
AllowOverride None
Options Indexes FollowSymLinks
</Directory>
For the problem to work. Of course if you run httpd as root you are in
serious trouble by this time as you have given away at least your shadow
password file...
>Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
>about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely
>documented.
>
><Directory /*/public_html*>
>AllowOverride None
>Options Indexes SymLinksIfOwnerMatch
></Directory>
I haven't seen apache or versions of NCSA httpd higher than 1.3 so I don't
know about SymLinksIfOwnerMatch. The fix last time we did this was to not
include FollowSymLinks. There is apparently an analogous directive for the
CERN httpd.
Regards,
Martin.
########################################################################
# Martin Hargreaves Contract Unix System Administrator #
# (martinh@paston.co.uk) Unix & Network Security, WWW #
# Computational Chemistry #
########################################################################
