WebApp Sec mailing list archives
Re: htaccess with apache
From: Tim Greer <chatmaster () charter net>
Date: 06 Nov 2003 08:33:03 -0800
On Thu, 2003-11-06 at 04:09, António Vasconcelos wrote:
Tim Greer wrote:That's in /etc/groups, not in /etc/passwd
If you use a CGI wrapper, barring any chrooting, it will need to read the user's uid from the passwd file.
There is a lot of bad programmers arround.
Yes.
Worst, there is a lot of programmers arround that don't know they are bad programmers,
Yes.
the traditional buffer overflow in malloc() and memcpy() or strcpy() shows just that.
How is this relevant to the permissions on passwd?
Any php/perl programmer in a web environment _should_ know that he must be very carefull when accessing any kind of file based in info passed from the net.
They should be careful to control what files can be opened, in what location/path. The passwd file is just a yellow pages type file, unless you have a bad set up or have the encrypted passwords in that file.
Checking, checking and re-checking, it's a way of doing it. However there is allways someone smarter than you. If you know that then you can be a good programmer, and know that you cannot only rely on that. So, the right thing to do is make sure that even if you do something wrong in your program, the system setup wont let a really bad thing to happen.
Obviously, now what does that have to do with what we're talking about now!?
That, of course, is the right thing to do. But you can't forget that any info you give away can (and sometimes will) be used against you. So, giving away your user list is not a good idea.
You're making too big of a deal out of this and this is going off track into irrelevant things--we've already discussed and are aware of bad programmers. If you have to worry that someone can see the list of users (and that's all it will give them) from the passwd file and think that makes any real difference in the security of your system, then you probably have bigger problems. Of course, as I said myself, anything you can deny, it won't hurt, but this is trivial and you can chroot the service anyway so it doesn't use that same file--but it's going to use it _somewhere_ or you can't run a CGI wrapper properly to check ownerships so the wrapper does its job properly and securely. So either you better have each user jailed in every way to only have their own passwd file with their own instance of the web server and assume that's going to solve the problem and waste all those resources too, or you can just look at it for what it is, trivial and harmless (unless your server isn't set up well), and save the resources since your server is secured properly. Oh well, to each their own, but I have to wonder when people make a big deal about something that's not. -- Tim Greer <chatmaster () charter net>
Current thread:
- Re: htaccess with apache, (continued)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache Sverre H. Huseby (Nov 04)
- Re: htaccess with apache Tim Tompkins (Nov 04)
- Re: htaccess with apache Lucas Holt (Nov 04)
- Re: htaccess with apache A.D.Douma (Nov 05)
- Re: htaccess with apache Graham Lally (Nov 04)
- Re: htaccess with apache Tim Greer (Nov 04)
- Re: htaccess with apache António Vasconcelos (Nov 05)
- Re: htaccess with apache Tim Greer (Nov 05)
- Re: htaccess with apache António Vasconcelos (Nov 06)
- Re: htaccess with apache Tim Greer (Nov 06)
- Re: htaccess with apache António Vasconcelos (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)
- Re: htaccess with apache Tim Greer (Nov 11)