Re: Unix links subverting Web security

To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
Subject: Re: Unix links subverting Web security
From: Apu <apu@menger.eecs.stevens-tech.edu>
Date: Fri, 27 Oct 1995 00:29:39 -0400 (EDT)
cc: WWW Security mailing list <www-security@ns2.rutgers.edu>
In-Reply-To: <9510261631.AA06763@sun.cse.bris.ac.uk>

On Thu, 26 Oct 1995, Steff Watkins wrote:

(In regards to symbolic links from a user's web directory to sensitive 
files such as /etc/passwd and the security risks inherent in this...)

>   Is there a standard way of stopping this, by configuration or some other
> means at source, that is the WebServer itself? Or, do I have to ritually
> scan my filesystem for links to potentially dangerous systems files and
> delete them??

Sort of... You can do somethings with a simple change in the 
configuration of your server, the developing of company/school policies 
and educating users. [See (1) below.]   You can also make your server more 
secure over-all (in addition to the above) but it takes more works, in 
addition to somewhat more knowledge and resources. [See (2) below.]

Note that (1) doesn't require (2), but (2) requires (1):

1) Don't allow the public_html type directories.  Give trusted users
   access to their own directories under the DocumentRoot of your server.
   Educate them not to do things like make links to other parts of the
   system when these links could potentially cause security problems, etc.
   (People you don't trust can be given access after being educated.)

   Because only the webmaster or root can create the directories off of
   DocumentRoot, this limits your users from not knowing about the 
   possible security problems this would cause--also it limits the section 
   of the file system you would have to scan to everything under the 
   DocumentRoot instead of every publically-writable space.

2) Run the server `chroot' like anonymous ftp sessions are done.  Note
   that this requires a minimalistic set of /bin, /etc, /lib and /usr 
   directories to be created under this new root file structure.  See the 
   various documents that explain how to create secure anonymous ftp 
   servers and see your own anonymous ftp servers for examples of how to 
   implement this (hopefully they are secure!).

   For example, the /etc/passwd file under this new directory system 
   would contain very, VERY minimal set of users (root, postmaster, 
   webmaster, etc.--no real usernames) and no real passwords.  
   Similarly with /etc/group.  Include a minimal set of things in /bin, 
   /lib & /usr.  Note that this will require duplication of somethings (ie, 
   two copies of perl, etc.) because nothing outside of this new root 
   filesystem can be seen by the chroot server.  Though you could 
   theoretically make symbolic links from the regular locations to the 
   "special" (webserver's root tree) locations and then just have the one 
   copy in the special location, this is not recommended because if someone 
   managed to do something to this copy, it would bring down your regular 
   system.

Apu <apu@inet-images.com>                     Internet Images Worldwide
=======================================================================
IIW is a full-service Net presence creation agency--come check us out!!
<A HREF="http://www.inet-images.com/iiw/">Internet Images Worldwide</A>
-----------------------------------------------------------------------
***    Temporary    ***   Please use <apu@menger.eecs.stevens-tech.edu>
***  Inconvenience  ***   or <apu@www.weschke.com> instead of the above

References:

Unix links subverting Web security

From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>

Previous: Re: Unix links subverting Web security
Next: Unix links subverting Web security
Index(es):
- Index
- Thread