Alexander Skwar wrote on Mon, Jun 24, 2002 at 01:45:02AM +0200 : > > It has DENY from all because of the Directory / entry. Isn't this a > little bit too restrictive?
It's a security setting. You close everything, then only open up the directories that you want to allow access to. This is due to some uproar that happened in BugTraq a while back. BugTraq is pretty good about emphasizing little things like this. The next time a path exploit comes out for apache, the theory is that even if it lets you cd out of the jail, then the permissions enforced won't let you see the contents of (say for example) ../../../../etc/password or similar. (My own personal opinion is that if something can get malformed enough to let it cd out of the jail, then what are the chances that permissions enforcement will be functional?) JM should be able to find the errors in my logic. Is it relevant now? No, there are no known exploits other than the chunking deal right now. Other than that, it's just one more small part of the overall armor. <note> This is also the way that a firewall is done (close everything, then open holes to allow access) </note> Blue skies... Todd -- Todd Lyons -- MandrakeSoft, Inc. http://www.mandrakesoft.com/ UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn Cooker Version mandrake-release-8.3-0.2mdk Kernel 2.4.18-20mdk
msg66519/pgp00000.pgp
Description: PGP signature
