Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1995: Re: HTTPD bug

Re: HTTPD bug

carsonlehman.com
Mon, 17 Apr 1995 13:18:08 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David A. Wagner: "Re: passwd hashing algorithm"
Previous message: Baba Z Buehler: "Re: HTTPD bug"
In reply to: Mr Martin J Hargreaves: "Re: HTTPD bug"
Next in thread: Tom Fitzgerald: "Re: HTTPD bug"

>>>>> "Martin" == Martin J Hargreaves <ch11mhsurrey.ac.uk> writes:

Martin> 	I don't think this has been brought up on bugtraq yet, if it
Martin> has sorry. This is from Linux-security, posted by "Mr Pink
Martin> (vincedallas.demon.co.uk) apologies to Mr. Pink for my instant
Martin> repost.

Martin> On Sun, 16 Apr 1995, Mr Pink wrote:

>> It allows you to create a directory in a users home dir that can be
>> accessed via mosaic/netscape.  well the bad bit of news is, if you sym
>> link this dir to root (/), file ownership becomes non existent.
>> 
>> i was easily able to read the shadow passwd file!

The easy fix is to run the daemon as nobody (which is what I do).
chroot'ing will also take care of this sort of problem.

--
Carson Gaspar -- carsoncs.columbia.edu carsonlehman.com
<This is the boring business .sig - no outre sayings here>

Next message: David A. Wagner: "Re: passwd hashing algorithm"
Previous message: Baba Z Buehler: "Re: HTTPD bug"
In reply to: Mr Martin J Hargreaves: "Re: HTTPD bug"
Next in thread: Tom Fitzgerald: "Re: HTTPD bug"