[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] remove slash
- Subject: Re: [cobalt-users] remove slash
- From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
- Date: Tue Jan 29 00:04:02 2002
- Organization: nobaloney.net
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"E.B. Dreger" wrote:
> Symlinks can also be downright dangerous. I hate to post "how to
> crack in a nutshell" messages, but all of this is easily
> available elsewhere... I guess I'll elaborate:
>
> To use symlinks, FollowSymLinks must be on. If this directive is
> applied to users' directories, they may use symlinks to bypass
> path checking.
Eddy, isn't there a directive for following symlinks only if the owner
is the same?
Wouldn't this eliminate much of the problem?
> The answer is to disallow symlinks or to check the owner of the
> target file. Both are available via Ap config options. If done
> properly (i.e., users cannot create symlinks to arbitrary files),
> you're fine.
I thought so.
> Whether or not everyone sufficiently restricts symlinks is
> another question. Taking the easy way out and enabling symlinks
> sans owner checking for everyone is a disaster waiting to happen.
But isn't this an option I, as the machine admin, control? So
owner-checking is the way to go. Of coourse I could forget. I could
forget a lot of security issues. It's my job to not forget, right
<smile>?
Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA 92517
voice: (909) 778-9980 * fax: (702) 548-9484