On Monday 22 April 2002 11:18 am, Jeff Lasman wrote: > Easy way, as I mentioned in an earlier reply, install a root-owned > .htaccess file in the /web folder. �Then your site-admin won't be able > to upload one.
Jeff, This is partially true. The "owner" of the directory space can "remove" (and henceforth replace) any file that is "within" their directory space. So putting the .htaccess under the /web owned by the "admin" for example "site20" means that the admin for site20 can remove that file and then replace it with their own. Adminitedly more difficult, but possible. The only way to stop this is to use chattr and change the attributes for the file to non-deletable (which means even root cannot delete it without changing the secondary attributes first). Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED] _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
