Re: some permission problem?

[Jason Burroughs <jdog1016 () hotpop com>]

That's true, but the real issue is not merely the fact that /etc/passwd
can be accessed but the fact that *by default* (assuming apache), httpd
will allow clients to arbitrarily walk through the entire filesystem and
any file that httpd can read from is fair game for a client.

martincad () fibertel com ar wrote:

> I think you don't have to warry if you use Shadow passwords
> Do you use it  ?
>
> ----- Original Message -----
> From: "SB CH" <chulmin2 () hotmail com>
> To: <security-basics () securityfocus com>
> Sent: Tuesday, May 06, 2003 4:29 AM
> Subject: some permission problem?
>
>
>  
>
> > Hello, all.
> >
> > I found that some malicious man browsed /etc/passwd file by httpd.
> > So I would like to block to see /etc/passwd file by nobody(http user)
> > permission.
> > but as you know, any shell logging users should have read permission.
> >
> > So, is there any method to enable this?
> >
> > I think that only one method that all users are some group member except
> > nobody. and only group members can  read the /etc/passwd file, right?
> > but this work is so so hard at my system.
> >
> > Also, I saw that some commercial host baed ips can do this.
> >
> > any patch is available?
> >
> >
> > Thanks in advance and sorry for poor english.
> >    




---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most 
recognized corporate security certification track, provides a comprehensive 
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization 
of pertinent security tools. For a limited time you can enter for a chance 
to win one of the latest technological innovations, the SEGWAY HT. 
Log onto http://www.securityfocus.com/FastTrain-security-basics 
----------------------------------------------------------------------------