|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: httpd symlinks
Daniel S. Riley (dsr
lns61.tn.cornell.edu)Mon, 4 Sep 1995 16:21:05 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Neil Woods: "Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
- Previous message: Seth Robertson: "Portable source code to fix syslog(3) vunerability"
- In reply to: Martin Hargreaves: "httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
- Next in thread: Jon Lewis: "Re: httpd symlinks"
>> Try adding this to "access.conf" on apache 0.8.11 or ncsa 1.4 (not sure
>> about how CERN handles this). "SymLinksIfOwnerMatch" is only vaguely
>> documented.
SymLinksIfOwnerMatch, at least in NCSA httpd 1.4 through 1.5b3, is
also broken. Here's the bug report I submitted to the ncsa-httpd
team:
SymLinksIfOwnerMatch can be trivially defeated. The check code
basically does
lstat(path,&fi);
[...]
bsz = readlink(path,realpath,256);
[...]
lstat(realpath,&lfi);
if(fi.st_uid != lfi.st_uid)
goto gong;
which can be fooled by creating a soft link to a soft link to the
target file. The second lstat should be a stat(), and the whole
thing could be substantially simplified--something like
lstat(path,&fi);
if(!(S_ISREG(fi.st_mode))) {
if(opts[n] & OPT_SYM_OWNER) {
if (stat(path,&lfi) == -1)
goto gong;
if(fi.st_uid != lfi.st_uid)
goto gong;
}
should be sufficient (be sure to fix both instances).
- Next message: Neil Woods: "Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
- Previous message: Seth Robertson: "Portable source code to fix syslog(3) vunerability"
- In reply to: Martin Hargreaves: "httpd symlinks, was Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995"
- Next in thread: Jon Lewis: "Re: httpd symlinks"