[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Re: Removing ~ for website URL

Subject: [cobalt-users] Re: Removing ~ for website URL
From: Bruce Timberlake <bruce@xxxxxxxxxx>
Date: Mon Apr 19 09:31:02 2004
Organization: BRTNet.org
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As others have replied, check /etc/httpd/conf/access.conf for the 
FollowSymlinks directive. Here's the relevant chunk from my own RaQ 4:

<Directory /home/sites/>

# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".

# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.

Options Indexes FollowSymLinks Includes MultiViews


and then a little later in the file:


# be more restrictive within a site
<Directory /home/sites/*/>
Options -FollowSymLinks +SymLinksIfOwnerMatch
</Directory>


A caveat from the Apache Definitive Guide
(http://www.hk8.org/old_web/linux/apache/ch03_11.htm) - I don't know how 
CGIWrap plays into this; you might be safe anway because of it:

However, there are security problems to do with other users on the same 
system. Imagine that one of them is a dubious character called Fred, who has 
his own webspace, .../fred/public_html. Imagine that the webmaster has a CGI 
script called fido that lives in .../cgi-bin and belongs to webuser. If the 
webmaster is wise, she has restricted read and execute permissions for this 
file to its owner and no one else. This, of course, allows web clients to use 
it because they also appear as webuser. As things stand, Fred cannot read the 
file. This is fine, and in line with our security policy of not letting 
anyone read CGI scripts. This denies them knowledge of any security holes.

Fred now sneakily makes a symbolic link to fido from his own webspace. In 
itself, this gets him nowhere. The file is as unreadable via symlink as it is 
in person. But if Fred now logs on to the Web (which he is perfectly entitled 
to do), accesses his own webspace and then the symlink to fido, he can read 
it because he now appears to the operating system as webuser.

The Options command without All or FollowSymLinks stops this caper dead. The 
more trusting webmaster may be willing to concede FollowSymLinks-IfOwnerMatch 
since that too should prevent access.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAg/6YhI2So2rhOmcRAhp9AJ9ofzmC1bmZANSks7dG6nB/YSjVWQCgubEE
/MLVgwLh81mKJqVUKnikKjw=
=tIAU
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: [cobalt-users] Re: Removing ~ for website URL
  - From: Thom R. Lacosta

References:
- [cobalt-users] Removing ~ for website URL
  - From: Bruce Timberlake

Prev by Date: [cobalt-users] OS Restore
Next by Date: Re: [cobalt-users] (RAQ4) Maillog sasldb error
Previous by thread: [cobalt-users] Removing ~ for website URL
Next by thread: Re: [cobalt-users] Re: Removing ~ for website URL

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index