Re: httpd symlinks

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Neil Woods: "Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
• Previous message: Seth Robertson: "Portable source code to fix syslog(3) vunerability"
• In reply to: Martin Hargreaves: "httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
• Next in thread: Jon Lewis: "Re: httpd symlinks"

>> Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
>> about how CERN handles this).  "SymLinksIfOwnerMatch" is only vaguely
>> documented.

SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken.  Here's the bug report I submitted to the ncsa-httpd
team:

    SymLinksIfOwnerMatch can be trivially defeated.  The check code
    basically does

        lstat(path,&fi);
        [...]
        bsz = readlink(path,realpath,256);
        [...]
        lstat(realpath,&lfi);
        if(fi.st_uid != lfi.st_uid)
                goto gong;

    which can be fooled by creating a soft link to a soft link to the
    target file.  The second lstat should be a stat(), and the whole
    thing could be substantially simplified--something like

        lstat(path,&fi);
        if(!(S_ISREG(fi.st_mode))) {
            if(opts[n] & OPT_SYM_OWNER) {
                if (stat(path,&lfi) == -1)
                    goto gong;
                if(fi.st_uid != lfi.st_uid)
                    goto gong;
            }


    should be sufficient (be sure to fix both instances).

• Next message: Neil Woods: "Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
• Previous message: Seth Robertson: "Portable source code to fix syslog(3) vunerability"
• In reply to: Martin Hargreaves: "httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
• Next in thread: Jon Lewis: "Re: httpd symlinks"