[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] RE: [cobalt-security] Re: [cobalt-announce] Cobalt Networks - Security Advisory - Frontpage

Subject: [cobalt-developers] RE: [cobalt-security] Re: [cobalt-announce] Cobalt Networks - Security Advisory - Frontpage
From: "Jose Luis Aguilar" <jlaguilar@xxxxxxxxxxxxxxxxxxx>
Date: Wed Jun 7 15:14:20 2000

Does this patch fix the rest of the problem?

I mean users being able to run CGI scripts when they are not supposed to, if
the RAQ admin disabled CGI for that specific site.

Would changing the access.conf file correct this?

"AllowOverride FileInfo, AuthConfig, Limit" instead of "AllowOverride All"

Or would this modification break other features on the RAQ3?

Jose Aguilar

-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Jeff Lovell
Sent: Thursday, May 25, 2000 6:31 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-security] Re: [cobalt-announce] Cobalt Networks -
Security Advisory - Frontpage

Iain O'Cain wrote:
> > When a site is uploaded with FP to a RaQ2/3, all of the files
> > are owned by user "httpd" instead of a site-specific user.
>
> Now, the patch addresses this in part by changing web directory ownerships
> to the "nobody" user.  Since we've been changing ownerships over to the
> actual site owner, this is pretty undesireable.  It seems to me that it
> would be just as effective to change the user which httpd runs as, rather
> than mess with file permissions which users may have changed for their own
> purposes.  Does that fit with how you're fixing this problem at Cobalt?

It doesn't change ownership away from legitimate users.  It only
changes permissions on files that are owned by httpd.  So any users
that have uploaded files through ftp, or have had the admin change
ownership will not be effected.

> > The package file format (pkg) for this fix is currently in testing, and
> > will be available in the very near future.
>
> Perhaps if we wait for the pkg'd fix, it may be a bit cleaner?

If you feel you can wait for the pkg'd version I recommend it.
It will go through more strict testing guidelines and other
performance testing.  But if you need a spot fix, apply this
patch.

Jeff

_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

Prev by Date: [cobalt-developers] rcp on RaQ
Next by Date: [cobalt-developers] Cobalt Announcements
Previous by thread: Re: [cobalt-developers] Second Drive Backup
Next by thread: [cobalt-developers] Planet Intra

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index