Re: Unix links subverting Web security

• To: www-security@ns2.rutgers.edu
• Subject: Re: Unix links subverting Web security
• From: Karl Boyken <boyken@cs.uiowa.edu>
• Date: Wed, 1 Nov 1995 09:02:12 -0600 (CST)
• Cc: zhul@cs.uregina.ca
• In-Reply-To: <Pine.SGI.3.91.951101081938.10275A-100000@HERCULES.CS.UREGINA.CA> from "Lianyi Zhu" at Nov 1, 95 08:24:41 am

I'm still not convinced that .htaccess is really a concern.  On the scale of
risks, from 1 to 10, 0 being complete, ironclad safety, and 10 being
metaphysical buck-naked come-and-crack-me insecure, I'd give it maybe a 0.5.

If I have an .htaccess file in a directory, then I'm using it to restrict
access to a subpopulation of the Web audience whom I trust.  Therefore,
assuming .htaccess works (which it does, in my experience), only trusted users
can read the file via a Web browser.

If I'm not clueless, I have my actual password file in a directory that's not
accessible via the Web.  No Web surfer, even those I trust via .htaccess, can
read the password file and crack in.

A user whom I trust can read .htaccess and find out where the file is.  If the
person has an account on my system, they may be able to use this information to
find the password file, read it, and crack it.  (This assumes that they can
login or ftp non-anonymously to the httpd server host--something that users at
our site cannot do.  But for the sake of argument, we'll assume they can.)  Imo,
anyone interested in cracking our systems, and who has an account on our
systems, is not going to go directly to the httpd password file in the first
place--they are going to be much more interested in things like /etc/passwd.
But let's say they want to find the httpd password file.  They don't need an
.htaccess file to find it.  All they need to do is find the server tree and
poke around.

The moral is, if you don't trust your users, don't give them access to the host
that's running httpd.  Of course, then you probably have to rely on things like
NFS, which has its own security problems.  But if you have to run NFS for other
reasons and thus have to live with its potential for attack, you might as well
make the best of the situation and lock your users off of your httpd server.

-- 
Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
email: karl-boyken@uiowa.edu              WWW: http://www.cs.uiowa.edu/~boyken/
voice: 319-335-2730                                           fax: 319-335-3017

• Re: Unix links subverting Web security
• From: Lianyi Zhu <zhul@cs.uregina.ca>

• Previous: Re: Unix links subverting Web security
• Next: Getting off of this list
• Index(es):
  • Index
  • Thread