On Sunday 05 October 2008 05:37:17 pm Dusty Wilson wrote: > >From what I understand, /etc/passwd has to be world readable. If I'm > > wrong, correct me please. If it's world readable, anyone can read it > unless you use a chroot or use OS containers like OpenVZ (they'd still > see the file, but it just wouldn't be the whole server's file). > > Dusty > > On Sun, Oct 5, 2008 at 1:27 PM, Rico Secada <[EMAIL PROTECTED]> wrote: > > Hi. > > > > I have a webserver running with a couple of users as virtual hosts in > > Apache. > > > > I read this article from IBM > > http://www.ibm.com/developerworks/opensource/library/os-php-secure-apps/i > >ndex.html (look for "Guard your filesystem") and testet the PHP script on > > an Etch installation, and the script serves files such as /etc/passwd and > > others. > > > > What is the best and correct way to protect the server from users who > > might upload such a script on their web directory? > > > > I don't want to run Apache in a chroot. > > > > Best regards. > > > > Rico > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED]
Correct me if I've missed something, but isn't the /etc/passwd *supposed* to be world-readable, for example to translate UIDs to user names using the ls command? The /etc/shadow file should *not* be world-readable, but when you use the shadow file, you don't have passwords in /etc/passwd, so it's being world-readable doesn't affect security, unless by some weird mechanism usernames are insecure... unless you run PHP as root, you would have to find a privilege escalation bug in PHP itself to have this particular security implication. That's not to say there aren't other security implications, or that PHP doesn't have such a bug. Lacking much experience with PHP, i'm in no position to say either way on that one. -- Sincerely, Jack Mudge [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
