[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
On Wed, 1 Nov 1995, Lianyi Zhu wrote:
> Not really true. .htaccess is one problem. /passwd/.htpasswd is another
> problem. Anybody can get your password file by:
> http://your_web_host/passwd/.htpasswd
> crack it, and visit you again with the password.
>
> This password mechanism is not good for cracker, but for gentleman.
I run my server under a chroot() directory, running as the user "nobody",
and my configuration file does not allow access to any subdirectories other
than "/Docs", "/icons", and "/cgi-bin". Assuming that the .htaccess
mechanism works, which my experience indicates it does, you can't read the
.htaccess file out of any specific directory unless the .htaccess file
grants you access to that directory so I am not concerned about users being
able to read the .htaccess files. The individual .htaccess files do not
indicate the location of the password file so the .htaccess file would not
help in that regard. Even if I told you that the password file was located
at "/conf/.htpasswd" you would still not be able to read it because of the
directory limitations in hte configuration file. And to make things even
more secure, you can't get at the files even if you log in on the system
(unless you also break in to the root account) because the top level
directory is only readable by the user "nobody".
If someone can tell me some basic flaw in my setup I would love to hear
it. I have not found any way to defeat the security and nothing I have
seen on this list so far has indicated a way to defeat the security. I am
currently running the NCSA server, version 1.4, with a minor mod to support
the chroot capability.
--
David H. Brierley
Raytheon Electronic Systems - Portsmouth RI Facility
Work: dhb@ssd.ray.com Home: dave@galaxia.network23.com
References: