[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: List of bugs that *must* be fixed before releasing Slink

On Sun, Jan 31, 1999 at 02:20:00PM -0500, Brian White wrote:
> > Previously Brian White wrote:
> > > apache            32204  user directories allow symlinks to other files [0]  (Johnie Ingram <johnie@debian.org>)
> >
> > We should just force SymLinksIfOwnerMatch for /home to solve this.
> You know, I don't see this as "grave".  It means that a user can
> effectively "export to the world" any file readable by www-data.  In
> general, this means only things that can be read by public.  So,
> the user can't intentionally export anything that he/she couldn't already
> do by other means.
> The problem comes with unintentional exports...  Well, it's a bug.  I
> don't see it as being a security hole.  Thoughts?

Did you ever think that exporting vital databases that are under cgi
control would be a serious security bug? And what about apache using
the mod_roaming module, which saves netscape preferences, _security_
certificates, bookmarks, and preferences.

This doesn't even count directories protected by .htpasswd auth whose
files can easily be compromised, and even the .htpasswd file itself can
be exported by linking it as a .html file, exposing all the excrypted
password information, which may be the same passwords as the system.

This is a serious security hole, we need to close before release.

-----    -- - -------- --------- ----  -------  -----  - - ---   --------
Ben Collins <b.m.collins@larc.nasa.gov>                  Debian GNU/Linux
UnixGroup Admin - Jordan Systems Inc.                 bcollins@debian.org
------ -- ----- - - -------   ------- -- The Choice of the GNU Generation

To UNSUBSCRIBE, email to debian-testing-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: