Re: HTTPD bug

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Charlie Watt: "Re: passwd hashing algorithm"
• Previous message: Paul C Leyland: "Re: passwd hashing algorithm"
• In reply to: Baba Z Buehler: "Re: HTTPD bug"
• Next in thread: carson@lehman.com: "Re: HTTPD bug"

On Mon, 17 Apr 1995, Baba Z Buehler wrote:
> 
> the httpd process will read files with the permissions of the user it is
> running as.  if you run your httpd as root, then you've got a problem.

	So it's OK for the rest of the net to read any files a 
non-privileged user can read ?

> run httpd as user 'nobody' or some such, and you won't have this problem.

	Except in the scenario Mr Pink described, if they had not had shadow 
passwords but /etc/passwd mode 644 then of course 'nobody' _could_ read 
that, as well as every other file on the system that is world-readable.

	Unfortunately just running as 'nobody' is not enough, you have to 
either disallow the following of symlinks in user directories (which is a 
good idea anyway), choose which users can have symlinks and have a more 
complex access list (this is NCSA httpd, I don't know about the CERN 
version), or lastly just allow any user to give the network read access 
to your system (may be option for those in a secure environment or who 
trust all the users on the system).

	Regards,

			Martin.


----------------------------------------------------------------
| Martin Hargreaves, 		            ch11mh@surrey.ac.uk|
| Undergraduate Computational Chemist    		       |
| WWW Server Admin                 http://www.chem.surrey.ac.uk|
----------------------------------------------------------------

• Next message: Charlie Watt: "Re: passwd hashing algorithm"
• Previous message: Paul C Leyland: "Re: passwd hashing algorithm"
• In reply to: Baba Z Buehler: "Re: HTTPD bug"
• Next in thread: carson@lehman.com: "Re: HTTPD bug"