From: "Rodent of Unusual Size" <[EMAIL PROTECTED]>
Sent: Sunday, September 09, 2001 8:00 AM
> * On 2001-09-09 at 08:44,
> William A. Rowe, Jr. <[EMAIL PROTECTED]> excited the electrons to say:
> >
> > A vhost user creates an .htpasswd file containing;
> > me:K<*@MFHE948!
> > root:K<*@MFHE948!
> > admin:K<*@MFHE948!
> >
> > Now that user can 'pretend' to be root, accessing root's files (provided they
> > were not secured) in spite of the fact that another vhost user believed that
> > file was protected by 'their' .htpasswd file (with the same user list, and
> > different vhosts.)
>
> I am not getting this, Bill. If the vhost user is able to control
> the vhost configuration, you cannot block him out anyway; he can
> always supply a different Require directive to let him do what he
> wants. Unless you are suggesting that the Require is in the
> .htaccess file, and everything else is in httpd.conf, and the
> intruder can modify the latter but not the former..
>
> I just do not see this scenario as being any less secure than
> 'require valid-user'.
It is as secure as any other _Apache_ authn/authz configuration, I suppose.
It needs to be clear that it is _not_ as secure as os kernel authn/authz.
This is pretty obvious to us, but might not be so obvious to some admins.
Because we are tying the 'user' or 'group' to an os placeholder, they need
to know it's only as strong as the _Apache_ configuration allows, and that
this isn't a kernel authn/authz. Unlike suexec, which compares os kernel
identifies between the symlink and it's target, we are comparing an Apache
admin's identifer to an os kernel identifier. Does that make sense?
