Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION

robm@ncsa.uiuc.edu (Rob McCool)
Errors-To: secret@www0.cern.ch
Date: Tue, 8 Feb 1994 17:50:54 --100
Message-id: <9402081647.AA18047@void.ncsa.uiuc.edu>
Errors-To: secret@www0.cern.ch
Reply-To: www-talk@www0.cern.ch
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: robm@ncsa.uiuc.edu (Rob McCool)
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: Re: SECURITY LEAK in ncsa httpd - PLEASE READ THE DOCUMENTATION
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
Content-Length: 1693
/*
 * SECURITY LEAK in ncsa httpd - PLEASE READ!!!!  by Markus Stumpf
 *    written on Feb  8,  4:52pm.
 *
 * We run httpd from inetd and I always thought (but never checked)
 * that User and Group (from the conf oder httpd.h files) applies
 * in that case, too.
 * This is NOT true! (and should be stated clearly in the conf files
 * IMHO).

The first line of the documentation for User and Group says they only apply
to standalone mode. In addition, httpd.conf-dist says ``If you are running
from inetd, go to ServerAdmin'' which skips over User and Group.

 * You could now argue to use the "user" entry in the inetd.conf file,
 * BUT:
 * -  I can't set the gid there
 * -  some older systems don't support this (yet)
 * 
 * Rob, could you please add the code from the standalon section to
 * the inetd section?!

I'll consider it. You should consider running standalone.

 * This all doesn't solve a more serious problem with the <INC>
 * instruction!
 * Having user-directories configured, any user is able to execute ANY
 * command out of this document, and this command is run under
 * server privileges.
 * This should IMHO be changed to only allow starting of programs
 * out of .../cgi-bin/ for example.
 */

PLEASE READ THE DOCUMENTATION.

The Options directive in access.conf can be used to stop this. If you've
done your homework and you know that Directory applies to physical
directories instead of logical directories, you can use:

<Directory />
AllowOverride None
Options Indexes FollowSymLinks
</Directory>

Similarly, if all of your users' directories come out of one or two
directories (like /user1 or /home), you can change the / in Directory / to
that directory.

--Rob