Re: htaccess with apache

[Tim Greer <chatmaster () charter net>]

On Thu, 2003-11-06 at 04:09, António Vasconcelos wrote:
> Tim Greer wrote:
> >  
> That's in /etc/groups, not in /etc/passwd

If you use a CGI wrapper, barring any chrooting, it will need to read
the user's uid from the passwd file. 

> There is a lot of bad programmers arround.

Yes.

> Worst, there is a lot of programmers arround that don't know they are 
> bad programmers,

Yes.

>  the traditional buffer overflow in malloc() and 
> memcpy() or strcpy() shows just that.

How is this relevant to the permissions on passwd?

> Any php/perl programmer in a web environment _should_ know that he must 
> be very carefull when accessing any kind of file based in info passed 
> from the net.

They should be careful to control what files can be opened, in what
location/path.  The passwd file is just a yellow pages type file, unless
you have a bad set up or have the encrypted passwords in that file.

> Checking, checking and re-checking, it's a way of doing it. However 
> there is allways someone smarter than you. If you know that then you can 
> be a good programmer, and know that you cannot only rely on that. So, 
> the right thing to do is make sure that even if you do something wrong 
> in your program, the system setup wont let a really bad thing to happen.

Obviously, now what does that have to do with what we're talking about
now!?


> That, of course, is the right thing to do.
> But you can't forget that any info you give away can (and sometimes 
> will) be used against you. So, giving away your user list is not a good 
> idea.

You're making too big of a deal out of this and this is going off track
into irrelevant things--we've already discussed and are aware of bad
programmers.  If you have to worry that someone can see the list of
users (and that's all it will give them) from the passwd file and think
that makes any real difference in the security of your system, then you
probably have bigger problems.  Of course, as I said myself, anything
you can deny, it won't hurt, but this is trivial and you can chroot the
service anyway so it doesn't use that same file--but it's going to use
it _somewhere_ or you can't run a CGI wrapper properly to check
ownerships so the wrapper does its job properly and securely.

So either you better have each user jailed in every way to only have
their own passwd file with their own instance of the web server and
assume that's going to solve the problem and waste all those resources
too, or you can just look at it for what it is, trivial and harmless
(unless your server isn't set up well), and save the resources since
your server is secured properly.  Oh well, to each their own, but I have
to wonder when people make a big deal about something that's not.
-- 
Tim Greer <chatmaster () charter net>