[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] remove slash

Subject: Re: [cobalt-users] remove slash
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Sat Jan 26 10:39:02 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

> Date: Sat, 26 Jan 2002 11:37:30 -0600
> From: William J.A. Brillinger <billy@xxxxxxxxxx>

> correct me if I'm wrong here but no telnet (or shell) access
> means a user cannot create a sym-link right?

That's incorrect.  It's not hard to create a CGI to create the
symlink:

	#!/bin/sh

	cd /my/web/path
	ln -s /path/to/file/i/want i-can-access-this.txt

Execute the CGI via a Web browser.

And, no, restricting the ln command won't help.  One can write a
binary that does the same thing.

You must restrict symlink following for websites.

FWIW, if CGI permissions are incorrect (scripts not wrapped with
suEXEC or similar), all scripts run as the same user... things
are even uglier then.


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

References:
- Re: [cobalt-users] remove slash
  - From: William J.A. Brillinger

Prev by Date: Re: [cobalt-users] /var/log/httpd/access
Next by Date: Re: [cobalt-users] /var/log/httpd/access
Previous by thread: Re: [cobalt-users] remove slash
Next by thread: Re: [cobalt-users] remove slash

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index