[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
What can you glean from a passwd file?
Surely no one has cracked crypt()...
> Talking about symlinks is missing the point. The same user who did this:
>
> ln -s /etc/passwd test.doc
>
> could just as well have done this:
>
> cp /etc/passwd test.doc
>
> In fact, if I made /etc/passwd group-readable but not world-readable, and
> everything on the system *except* the HTTP daemon's pseudo-user (you _are_
> running it as a pseudo-user with minimal privileges, yes?) was a member of
> that group, then I might be able to prevent the symlink attack but I still
> couldn't prevent anyone doing the copy.
>
> Thomas Maslen
> tmaslen@verity.com My opinions, not Verity's
Jeffrey Russell Horner jhorner@cs.utk.edu
Backups & Lab Assistant, Computer Science Department
University of Tennessee, Knoxville
Follow-Ups:
References: