Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 020213.html (Request Expert securityfocus.com Support)

Re: Apache 2.x leaked descriptors

From: David M. Wilson <dw-securityfocus.com(at)botanicus.net>
Date: Sun Feb 23 2003 - 19:46:56 EST

On Sat, Feb 22, 2003 at 02:46:59PM -0800, jon schatz wrote:

> you can do more than that. unless the web server uses suexec, all the

> at least w to all log files for all vhosts (probably r+w)

Installations like this are few and far between, it is the equivilant of chmod 777 /etc/passwd. Apache opens log files while still root, so write permission granted to the lower-permission Apache user should rarely happen in a properly administered environment.

> at least r on all webhosting directories

In a properly administered environment (where directory indexes are not enabled) you will at best have execute premissions, leaving you the option of brute-forcing the names of files in webroots.

This is true since if indexing is disabled (mod_autoindex is disabled or not compiled in, and no DirectoryIndex entry which points to an indexing script is specified), Apache never attempts to read a directory, it only needs to stat() and open() inside it to serve GET/HEAD/POST requests.

Do you need help?X

> at least r+x on all cgi-bin directories

Ideal permissions on CGI directories do not differ to the permissions on other content directories. I think you may be confused as to what execute permission actually means:

Execute permission on a directory does not mean that its content is executable, but that a process may chdir() into that directory and access files by name inside that directory. Read permission on a directory means a process may list its contents via readdir(), or getdents(), etc.

David. Received on Mon Feb 24 16:23:46 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:38 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library