[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
On Thu, 26 Oct 1995, Steff Watkins wrote:
(In regards to symbolic links from a user's web directory to sensitive
files such as /etc/passwd and the security risks inherent in this...)
> Is there a standard way of stopping this, by configuration or some other
> means at source, that is the WebServer itself? Or, do I have to ritually
> scan my filesystem for links to potentially dangerous systems files and
> delete them??
Sort of... You can do somethings with a simple change in the
configuration of your server, the developing of company/school policies
and educating users. [See (1) below.] You can also make your server more
secure over-all (in addition to the above) but it takes more works, in
addition to somewhat more knowledge and resources. [See (2) below.]
Note that (1) doesn't require (2), but (2) requires (1):
1) Don't allow the public_html type directories. Give trusted users
access to their own directories under the DocumentRoot of your server.
Educate them not to do things like make links to other parts of the
system when these links could potentially cause security problems, etc.
(People you don't trust can be given access after being educated.)
Because only the webmaster or root can create the directories off of
DocumentRoot, this limits your users from not knowing about the
possible security problems this would cause--also it limits the section
of the file system you would have to scan to everything under the
DocumentRoot instead of every publically-writable space.
2) Run the server `chroot' like anonymous ftp sessions are done. Note
that this requires a minimalistic set of /bin, /etc, /lib and /usr
directories to be created under this new root file structure. See the
various documents that explain how to create secure anonymous ftp
servers and see your own anonymous ftp servers for examples of how to
implement this (hopefully they are secure!).
For example, the /etc/passwd file under this new directory system
would contain very, VERY minimal set of users (root, postmaster,
webmaster, etc.--no real usernames) and no real passwords.
Similarly with /etc/group. Include a minimal set of things in /bin,
/lib & /usr. Note that this will require duplication of somethings (ie,
two copies of perl, etc.) because nothing outside of this new root
filesystem can be seen by the chroot server. Though you could
theoretically make symbolic links from the regular locations to the
"special" (webserver's root tree) locations and then just have the one
copy in the special location, this is not recommended because if someone
managed to do something to this copy, it would bring down your regular
system.
Apu <apu@inet-images.com> Internet Images Worldwide
=======================================================================
IIW is a full-service Net presence creation agency--come check us out!!
<A HREF="http://www.inet-images.com/iiw/">Internet Images Worldwide</A>
-----------------------------------------------------------------------
*** Temporary *** Please use <apu@menger.eecs.stevens-tech.edu>
*** Inconvenience *** or <apu@www.weschke.com> instead of the above
References: