Re: HTTPD bug
Darren Reed (avalon@coombs.anu.edu.au)
Mon, 17 Apr 1995 13:05:11 +1000 (EST)
In some mail from Mr Martin J Hargreaves, they said:
>
>
> I don't think this has been brought up on bugtraq yet, if it has
> sorry. This is from Linux-security, posted by "Mr Pink
> (vince@dallas.demon.co.uk) apologies to Mr. Pink for my instant repost.
>
> On Sun, 16 Apr 1995, Mr Pink wrote:
>
> >
> > Hello all,
> > i was browsing thru alt.2600, as you do, and spotted something of interest
> > it appears there is a problem with the CERN httpd.
> >
> > It allows you to create a directory in a users home dir that can be
> > accessed via mosaic/netscape. well the bad bit of news is, if you sym link
> > this dir to root (/), file ownership becomes non existent.
> >
> > i was easily able to read the shadow passwd file!
You can't save users or sys-admins from themselves, as this goes to show.
I started writing something up on httpd and security, quite a few months
ago, but never really had the time to get back to it (was playing with
CERN httpd 3.0pre6 at the time). Did a bit of RTFS too which was hmmm...
interesting. [http://www.arbld.unimelb.edu.au/~darrenr/httpd.ps if you're
really interested but the WWW sucks so...]
-------excert from my /etc/httpd.conf--------
UserDir www
SecurityLevel high
UserId nobody
GroupId nogroup
ParentUserId nobody
ParentGroupId nogroup
#
DirAccess off
DirReadme top
DirShowHidden off
DirShowBytes on
DirShowCase on
DirShowMode off
DirShowOwner off
DirShowGroup off
---------------------------------------------
Make sure all of those are set as above. httpd is *NOT* meant to be run
as root, which is the *ONLY* way it will read your shadow passwd file unless
the file perms on it are stuffed anyway.
darren