> I probably have my apache server set up somewhat incorrectly for > one of my oldest websites. I run a lot of wikis on many websites, > and the wikis permit apache cgi clients to rewrite apache owned > wiki content under some circumstances. > > What is scary is that a couple of my static html files, allegedly > unrelated to the wiki, were also rewritten by spammers, no doubt > via some of the older wikis (using Kwiki, rather than the newer > and more secure MoinMoin). Those static files were incorrectly > owned by apache, but still ... > > I just set all the static files to ownership root. I will learn > more about tightening down the restrictions for Kwiki write access > ( and eventually migrate all the content to Moin ). > > But in the interim (without sharing my httpd.conf stuff with all > and sundry) are there other ways (besides incorrectly configured > wikis) that apache can rewrite static content that incompetents > like myself should be aware of? > > Are there any issues with setting static content to root ownership > ( or perhaps to user "foo" ownership ), read only, as long as > apache can still read it?
without using selinux or chroot, you need to assume that anything that is world writable, apache group writable, or apache user writable can and will be written on by apache. also, any directory that is writable means that any file inside it can be replaced as well. apache won't go writing on things just for fun, but any cgi/php/etc that has as bug will eventually be exploited to scribble on things. and given the lovely foo.php.jpg issue i posted about a few days ago, this can lead to some very bad things. _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
