[users@httpd] Re: Apache Security Problem

Thu, 15 May 2008 00:37:13 -0700 

Hi,


I'm a little confused by exactly what problem you are trying to solve.
Am I right that you could do exactly the same thing by just having
your CGI script copy the relevant file into the webspace rather than
using a symlink?



If so, then this is just the standard issue with privilege separation
that is discussed here:
http://wiki.apache.org/httpd/PrivilegeSeparation



Joshua.


sorry, I think i verbalized not clear enough.  ;)

essence is following:  The way of creating a symlink is irrelavant. In Most 
cases this is a script, but symlink is also creatable by just unpacking a 
archive with symlinks that points to other users files.
Symlinks are very flexible and can even point to itself. A symbolic Link in 
Filesystem is always created even if target has to less permissions or is 
not existent. In this cases the link is just dead for the cgi-user that 
created it. But Link is not dead for apache user. If we think that other 
file is readable for apache cause is part of website than apache serves 
content of other users file. Apache seems in this case just to check if 
source and target of symlink is readable for apacheuser and serves file if 
is so. I can decrease chmod of targetfile but if it also should be servered 
by apache the group of the file have to be apchegroup and we have the case 
that ist still readable.
I cannot stop creating symlinks by script or other ways. I could activate 
SymLinksIfOwnerMatch but user could change this with own .htaccess cause i 
grant AllowOverride All in httpd.conf
Decreasing of AllowOverride Level to remove Options-Group is realy big step 
cause it would remove also further helpful things 
http://httpd.apache.org/docs/2.2/en/mod/core.html#options
Hmm, best way would be to activate SymLinksIfOwnerMatch  without removing 
whole Options Directive.


Now i have:

<Directory "/my/path">
AllowOverride FileInfo AuthConfig Limit Indexes
Options ExecCGI Includes MultiViews Indexes SymLinksIfOwnerMatch
</Directory>


and symlinks to other users files are not permitted. But on the other hand 
every .htaccess which uses Options, php_flag, php_value directive (may be 
more) runs into 500 Error :(



Andre 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to