You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Ra...@itdz-berlin.de on 2006/02/21 11:09:36 UTC
[users@httpd] Weird sbitting of htdigest
Hi,
I needed to "protect" a URI of my webserver.
Since the Base64 encoding of mod_auth seemed too revealing to me,
and on the other hand SSL/TLS too involved
I looked for something in between and came accross
mod_auth_digest.
With mod_auth_digest comes the utility program htdigest
to create and maintain a password file with MD5 hashes similar to
htpasswd of mod_auth for Base64.
When I created my first passwd file with htdigest I was baffled
to
realize that the htdigest binary from my installation produced
a passwd file with suid, sgid and the sticky bit set.
Ugh, what the hack is any sbit necessary for a flat password
file?
e.g.
# ls -ld /tmp
drwxrwxrwt 6 root root 1024 Feb 21 10:31 /tmp
# htdigest -c /tmp/bogus.passwd Rotten\ Vault visitor
Adding password for visitor in realm Rotten Vault.
New password:
Re-type new password:
# ls -l /tmp/bogus.passwd
-rwsr-sr-t 1 root root 54 Feb 21 10:34 /tmp/bogus.passwd
Needless to say that I immediately revoked those bits by
# chmod u-sx,g-sx,o-xt /tmp/bogus.passwd
# ls -l /tmp/bogus.passwd
-rw-r--r-- 1 root root 54 Feb 21 10:34 /tmp/bogus.passwd
without breaking the functionality of MD5 Digest authentication
at all.
root's umask during htdigest invocation was
# umask
0022
I consider this in my view redundant sbit setting as a severe
security infringement
(think of a DMZ webserver for the WWW)
I have to admit that I initially installed the Apache from the
Fedora Core 3 prebuilt RPMs
# rpm -qf $(which htdigest)
httpd-2.0.52-3
# uname -srv
Linux 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004
# cat /etc/redhat-release
Fedora Core release 3 (Heidelberg)
Now I'm very much inclined to compile any Apache for public
servicing
from the source tarballs with no dso and only statically compiled
in modules.
Or did I miss something, and there is a hidden sense behind all
this?
Regards
Ralph
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Weird sbitting of htdigest
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 21 February 2006 10:09, Ralph.Grothe@itdz-berlin.de wrote:
> When I created my first passwd file with htdigest I was baffled
> to
> realize that the htdigest binary from my installation produced
> a passwd file with suid, sgid and the sticky bit set.
>
> Ugh, what the hack is any sbit necessary for a flat password
> file?
It certainly shouldn't do that - and it doesn't for me.
Do you have strange umask settings, or anything else in the shell?
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org