In some mail from Mr Martin J Hargreaves, they said: > > > I don't think this has been brought up on bugtraq yet, if it has > sorry. This is from Linux-security, posted by "Mr Pink > (vince@dallas.demon.co.uk) apologies to Mr. Pink for my instant repost. > > On Sun, 16 Apr 1995, Mr Pink wrote: > > > > > Hello all, > > i was browsing thru alt.2600, as you do, and spotted something of interest > > it appears there is a problem with the CERN httpd. > > > > It allows you to create a directory in a users home dir that can be > > accessed via mosaic/netscape. well the bad bit of news is, if you sym link > > this dir to root (/), file ownership becomes non existent. > > > > i was easily able to read the shadow passwd file! You can't save users or sys-admins from themselves, as this goes to show. I started writing something up on httpd and security, quite a few months ago, but never really had the time to get back to it (was playing with CERN httpd 3.0pre6 at the time). Did a bit of RTFS too which was hmmm... interesting. [http://www.arbld.unimelb.edu.au/~darrenr/httpd.ps if you're really interested but the WWW sucks so...] -------excert from my /etc/httpd.conf-------- UserDir www SecurityLevel high UserId nobody GroupId nogroup ParentUserId nobody ParentGroupId nogroup # DirAccess off DirReadme top DirShowHidden off DirShowBytes on DirShowCase on DirShowMode off DirShowOwner off DirShowGroup off --------------------------------------------- Make sure all of those are set as above. httpd is *NOT* meant to be run as root, which is the *ONLY* way it will read your shadow passwd file unless the file perms on it are stuffed anyway. darren