WebApp Sec mailing list archives
Re: htaccess with apache
From: António Vasconcelos <vasco () all-2-it com>
Date: Thu, 06 Nov 2003 12:09:43 +0000
Tim Greer wrote:
That's in /etc/groups, not in /etc/passwd (of course that in most linux'es that whould give away the user list), and you can allways use group numbers instead of names.On Wed, 2003-11-05 at 05:22, António Vasconcelos wrote:It shouldn't... There is no need for nobody/nobody to read /etc/passwd file.Sure it should. Well, on a server with multiple users, you don't want to have everyone run as the global web server user anyway (so just denying nobody (How's Apache going to read it when it needs to now, a special group, and then what? A lot of hassles)), or you risk users smashing other users files that CGI/PHP scripts use/create, etc.
There is a lot of bad programmers arround.Worst, there is a lot of programmers arround that don't know they are bad programmers, the traditional buffer overflow in malloc() and memcpy() or strcpy() shows just that. Any php/perl programmer in a web environment _should_ know that he must be very carefull when accessing any kind of file based in info passed from the net.
Checking, checking and re-checking, it's a way of doing it. However there is allways someone smarter than you. If you know that then you can be a good programmer, and know that you cannot only rely on that. So, the right thing to do is make sure that even if you do something wrong in your program, the system setup wont let a really bad thing to happen.
Chrooting Apache would then be best (or in addition to), so you can take advantage of the best of both worlds (not to mention resource limitations for PHP/CGI per user/vhost).
That, of course, is the right thing to do.But you can't forget that any info you give away can (and sometimes will) be used against you. So, giving away your user list is not a good idea.
-- António Vasconcelos /(Administrador de Sistemas) ALL2IT-Infocomunicações, SA Torre de Monsanto, 6º Piso Miraflores, Algés PORTUGAL Telf.: + 351 21 412 39 50 Fax.: + 351 21 410 51 94/*CONFIDENCIAL*: Esta mensagem contém informação confidencial ou material privilegiado, e é só intencionada para os seus destinatários. De acordo com a lei em vigor, se um erro originou que tenha recebido esta mensagem por engano pedimos que, de imediato, notifique o remetente e a apague do seu sistema sem a reproduzir. *CONFIDENTIAL*: This e-mail contains proprietary information, some or all of which may be legally privileged. It is for the intended recipients only. According to the law in force, if an addressing or transmission error has misdirected this e-mail, please notify the author by replying to this e-mail and delete it from your system without retaining a copy.
................................................................................... Scanned OK by ALL-2-IT Anti-Virus Gateway
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache A.D.Douma (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)