You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "Lou D. Langholtz" <ld...@usi.utah.edu> on 1997/07/04 03:29:23 UTC
Re: [PATCH] various security problems
Dean Gaudet wrote:
>
> Summary: There's a bunch of ways to bypass the symlink restrictions, or
> otherwise serve up any file on the system.
> . . .
Just a reminder on an old post I made...
On this thread, FollowSymlinksIfOwnersMatch can also be circumvented by
users by telling there sys-admin to restore one of there web directories
containing some symlinks which often doesn't preserve the symlink owner.
Now they got root owned symlinks which is just perfect for pointing at /
and voila, they can export the whole filesystem tree (just about).
If anybody wants additional protection against Symlink dangers I wrote a
simple module a while back and put it at
<http://www.eng.utah.edu/~ldl/apache/modules/disallow_id/>. I've also
recently updated it to compile more cleanly with 1.2.0 as well as 1.1.*
Re: [PATCH] various security problems
Posted by Dean Gaudet <dg...@arctic.org>.
I wonder if we couldn't get further with something that works on absolute
paths. i.e. when symlinks are followed, start processing the absolute
path, or provide directives that match the absolute path. In the end
though we're doing a lot of work for little gain ... we need to protect so
much of the code, ugh.
Your module is simple enough, and catches another trouble case. But it
just begs for extension ... like "disallow uids < 100" :) I'm happy
including it as is though.
Dean
On Thu, 3 Jul 1997, Lou D. Langholtz wrote:
> Dean Gaudet wrote:
> >
> > Summary: There's a bunch of ways to bypass the symlink restrictions, or
> > otherwise serve up any file on the system.
> > . . .
>
> Just a reminder on an old post I made...
>
> On this thread, FollowSymlinksIfOwnersMatch can also be circumvented by
> users by telling there sys-admin to restore one of there web directories
> containing some symlinks which often doesn't preserve the symlink owner.
> Now they got root owned symlinks which is just perfect for pointing at /
> and voila, they can export the whole filesystem tree (just about).
>
> If anybody wants additional protection against Symlink dangers I wrote a
> simple module a while back and put it at
> <http://www.eng.utah.edu/~ldl/apache/modules/disallow_id/>. I've also
> recently updated it to compile more cleanly with 1.2.0 as well as 1.1.*
>