WebApp Sec mailing list archives

RE: htaccess with apache

From: <MTeixeira () njtransit com>
Date: Wed, 5 Nov 2003 13:36:09 -0500

I agree with Antonio.  Just because the default is to allow it, it doesn't mean it should be left alone.  
Unfortunately, it's the case with many other issues where the default isn't good enough.

P.S.  Viva portugal :)

MIGUEL A. TEIXEIRA
NJ Transit\\\ Corporation Information Services
One Penn Plaza East, Newark, NJ 07105-2246
v: 973.491.8153   f: 973.491.7511
mteixeira () njtransit com
www.njtransit.com


-----Original Message-----
From: António Vasconcelos [mailto:vasco () all-2-it com] 
Sent: Wednesday, November 05, 2003 8:22 AM
To: webappsec () securityfocus com
Subject: Re: htaccess with apache


Tim Greer wrote:

MORE IMPORTANTLY,
/etc/passwd shouldn't be readable by the CGI server!


Sure it should be!  The default permissions (that are safe too) are 644 
for this file.  Are you thinking of shadow or master.passwd???

It shouldn't...
There is no need for nobody/nobody to read /etc/passwd file. Of course 
that the passwords are in /etc/shadow but I see no reason to show 
everyone (or nobody in this case, hehehe) the list of users and it's shells. Yes, the default permssions will allow 
user nobody to do just that, 
that's why there are unix'es were you can setup extended permissions for 
any file.

-- 

António  Vasconcelos
/(Administrador de Sistemas)
ALL2IT-Infocomunicações, SA
Torre de Monsanto, 6º Piso
Miraflores, Algés
PORTUGAL
Telf.: + 351 21 412 39 50
Fax.: + 351 21 410 51 94/

 

*CONFIDENCIAL*: Esta mensagem contém informação confidencial ou material 
privilegiado, e é só intencionada para os seus destinatários. De acordo 
com a lei em vigor, se um erro originou que tenha recebido esta mensagem 
por engano pedimos que, de imediato, notifique o remetente e a apague do 
seu sistema sem a reproduzir.
        *CONFIDENTIAL*: This e-mail contains proprietary information, some or 
all of which may be legally privileged. It is for the intended 
recipients only. According to the law in force, if an addressing or 
transmission error has misdirected this e-mail, please notify the author 
by replying to this e-mail and delete it from your system without 
retaining a copy.




...................................................................................
Scanned OK by ALL-2-IT Anti-Virus Gateway

Current thread:

Re: htaccess with apache, (continued)
- - - Re: htaccess with apache António Vasconcelos (Nov 11)
    - Re: htaccess with apache Tim Greer (Nov 11)
    - Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Vladimir Danilyuk (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Peter Conrad (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache Cameron Green (Nov 04)
- RE: htaccess with apache Anonymous Sender (Nov 04)
- RE: htaccess with apache Maxim Kostioukov (Nov 04)
- RE: htaccess with apache MTeixeira (Nov 05)
  - RE: htaccess with apache Tim Greer (Nov 05)
  - RE: htaccess with apache Dinis Cruz (Nov 11)
    - RE: htaccess with apache Tim Greer (Nov 11)