Re: User directory security
From: *** T. Winter (***.Winter_at_cwi.nl)
Date: 06/11/04
- Next message: Alan Balmer: "Re: SSRT3606 rev.2 wu-ftpd off by one vulnerability"
- Previous message: david20_at_alpha2.mdx.ac.uk: "Re: account lock on failed login"
- In reply to: JK: "User directory security"
- Next in thread: Stachu 'Dozzie' K.: "Re: User directory security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Jun 2004 12:29:22 GMT
In article <1086938885.743723@bernard> "JK" <jk6ft2-forum@yahoo.com> writes:
> There is a security issue between Unix system and Apache web server.
Not inherently, only in the way you set it up.
> We have many users in our Unix system, i.e. user1, user2 with home directory
> /home/user1, /home/user2.
> An apache server (running as 'nobody') provides user directories, i.e.
> http://mydomain.com/~user1 and http://mydomain.com/~user2
This is asking for problems, as you note. Apparently 'nobody' has
permissions 'user2' does not have. In that case it is a bad idea
to let 'nobody' execute scripts and/or programs owned (and written)
by 'user2', because that way 'user2' can get the same permissions
as 'nobody' has (provided he can force 'nobody' to execute the
script/program).
Scripts and programs owned by 'user2' should be executed under the
user-id 'user2', not something else, in that case.
-- *** t. winter, cwi, kruislaan 413, 1098 sj amsterdam, nederland, +31205924131 home: bovenover 215, 1025 jn amsterdam, nederland; http://www.cwi.nl/~***/
- Next message: Alan Balmer: "Re: SSRT3606 rev.2 wu-ftpd off by one vulnerability"
- Previous message: david20_at_alpha2.mdx.ac.uk: "Re: account lock on failed login"
- In reply to: JK: "User directory security"
- Next in thread: Stachu 'Dozzie' K.: "Re: User directory security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
