Patrick Hsieh said: > Hello list, > > Now that apache has FollowSymLinks and SymLinksIfOwnerMatch options, > there's still some security issue. For example, someone cp /etc/passwd to > his home directory(/home/foo/passwd), create a symbolic link from > /home/foo/passwd to /var/www/hidden_dir/passwd. Since the owner maches, > it will still lead to exposure of passwd file. Is there any way to avoid > this? I'd like to restrict the symbolic link from linking across the > DocumentRoot, idea?
if your trying to protect the passwd file, good luck! Someone could just as easily cat the file into another html file, or copy and rename it in their public_html directory. If you want to "obscure" your user accounts I reccomend using a distributed login system such as LDAP, NIS, NIS+ and put all non-system accounts in the database(theres no harm in a remote user seeing what system accounts you have I think since they are default to the system, they could install a copy of debian and see what the accounts were if they wanted). That way /etc/passwd has no real useful information. I do this with LDAP, it works well, I wroteup a large "HOWTO" on the subject: http://howto.linuxpowered.net/ldap/ldap.html IMO ldap is more secure then NIS/NIS+ because it does not depend upon RPC services(which historically have many security problems). nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]