Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure

[Tobias Kreidl <tobias.kreidl () nau edu>]

Agreed.  Many sites limit users to at most SymLinksIfOwnerMatch for that 
very reason, not to mention limits on CGI privileges. AllowSymlinks, 
IMO, ought to be reserved for the sysadmin on the server and used 
sparingly. You can, of course, even require .htaccess configurations to 
be set in the server's configuration files instead of in the user 
account areas (in conjunction with the AllowOverride None setting).

--Tobias

On 8/11/2013 7:52 AM, Michal Zalewski wrote:
> > for doing this features in httpd.conf you can use AllowOverride None instead
> > of AllowOverride all
> AllowSymlinks is a red herring here (hardlinks should do, unless you
> have stuff partitioned in a very thoughtful way, which most don't),
> similarly to suexec.
>
> In general, sharing web hosting providers that allow shell access or
> scripting are pretty much boned in a myriad of ways.
>
> /mz