Re: apache + .htpasswd - bypass pwd check
From: Sten (sten@blinkenlights.nl)Date: 04/27/02
- Previous message: frog frog: "Security holes in 11 products..."
- In reply to: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 27 Apr 2002 19:22:36 +0200 (CEST) From: Sten <sten@blinkenlights.nl> To: Jedi/Sector One <j@pureftpd.org>
On Fri, 26 Apr 2002, Jedi/Sector One wrote:
> On Fri, Apr 26, 2002 at 02:07:05PM -0700, RSnake wrote:
> > cd ~john
> > I don't have to know where it is.
>
> Unless your users have shell access, there's no reason to have anything
> but a 'nobody' account in your /etc/passwd & co files.
>
> If you need entries for suexec to work, have fake ones, with no password,
> no shell and /dev/null as a home directory. The only thing Apache+suexec
> needs is to map uids to some user name.
>
or use this patch :
www.localhost.nl/patches/apache-nouidresolving
which enables 'User "#1000"' in the httpd.conf,
always nicer to have uids only where you want them.
You do need a seperate ftp/shell box for ppl to upload
though ( or uid tricks for those ) , but shouldn't be
a problem for mass vhosting providers.
-- Sten Spans"What does one do with ones money, when there is no more empty rackspace ?"
- Previous message: frog frog: "Security holes in 11 products..."
- In reply to: Jedi/Sector One: "Re: apache + .htpasswd - bypass pwd check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
