«
»

Security issue still open


Regarding to the security issue I described earlier I tried to find a way around it. We are basically trying to get away from giving the world readable permissions to files in ~/public_html/.

ls -l public_html/index.html
-rwxr-xr-x   1 e0625457   stud           381 Nov 25 13:22 public_html/index.html

I thought of two ways to solve that:

a) set the group of the file to www and give it 755.
b) set the file to 700 and add a ACL entry

I failed with the first, because: I’m not the owner of the group nor member of it so I can’t hand the file over.
I failed with the second, because: The ACL setting for www was not respected by the webserver, it threw a 403.

I wonder how students should set up web content that is not listable.

There is still the possibility that a caching feature blurred the results of my testing.

But on my way I found something else that’s interesting:
If you do 

cat /etc/passwd

, you see all students and staffs IDs and full names.

Other interesting commands:

netstat -an|grep http
ps -efl |grep http
cat /etc/syslog.conf

This entry was posted on Sunday, December 3rd, 2006 and is filed under fun with Linux. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  1. #1 by JohannesBuchner on December 3rd, 2006

    Btw, “w” or “who” is fun too.

    In combination with /etc/passwd:

    who | cut -d " " -f 1 >~/online.txt ; grep -f ~/online.txt  /etc/passwd
    Quote

  2. #2 by kob on January 9th, 2007

    When you really think a little bit about us (the students) you should know that almost 99% has no clue about what you are writing here. In general, around 80% never saw a Unix shell and more than 99% (99.5%) of the people even can’t spell the word security.
    Of course it would be really nice, if there is a small introduction to unix for everyone at the beginning of the study. But our program is so full with much more important things (like mathematics, this is no joke :-) ).
    And don’t fuck the admin of the student servers. Even it’s really hard to maintain student servers and it’s even harder to maintain student servers which run under some sort of old school unix system like AIX.
    AIX is a nice system for a bank, somewhere looked in a data center, behind 8 firewalls and with a big maintenance contract with IBM, but not as a student server. Every freaking open source software you have to search on some obscure packing sites or compile yourself. There are is by default no apt-get, make install, port install or whatever on AIX.
    Just my two cents.

    Quote

  3. #3 by JohannesBuchner on January 10th, 2007

    Thanks for the comment.

    I’m sorry, I didn’t mean to attack the admins. And I know that there are awkward and old unix server systems (I admined some once).

    I just wondered how one would solve the problem. I thought ACLs would do it.
    Also I wanted to show what you can do with the simple shell and a database of a thousand students.

    And yes, not everyone will say “I know all that” about my posts, but I like to write about stuff like this more than how I got to the university today or, you know, trivial things. Also I think people could get interested by trying the above and get into shells …

    Have fun

    Quote
(will not be published)

  1. No trackbacks yet.