WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 05 Nov 2003 10:39:15 -0800
On Wed, 2003-11-05 at 05:22, António Vasconcelos wrote:
It shouldn't... There is no need for nobody/nobody to read /etc/passwd file.
Sure it should. Well, on a server with multiple users, you don't want to have everyone run as the global web server user anyway (so just denying nobody (How's Apache going to read it when it needs to now, a special group, and then what? A lot of hassles)), or you risk users smashing other users files that CGI/PHP scripts use/create, etc. You'd want to use a wrapper, in which case, do you want to deny users themselves from being able to read it? I don't see the problem, other than being able to see what other user accounts are on the system. Chrooting Apache would then be best (or in addition to), so you can take advantage of the best of both worlds (not to mention resource limitations for PHP/CGI per user/vhost). -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)