[CLUE-Tech] Cracking websites
Nate Duehr
nate at natetech.com
Sun Feb 22 00:26:20 MST 2004
On Feb 21, 2004, at 6:33 PM, Jed S. Baer wrote:
> Hi Folks.
>
> I'm wondering about website security. In a shared hosting environment,
> under Apache, is there anything to prevent me from reading other users'
> files -- that is, any files which must be readable by the httpd user
> for
> the site to function?
All kinda depends on how the hosting company admins set up the machine.
I know some Linux folks here in town use user-mode linux to give each
user their own "virtual machine" to work from -- others use chrooted
environments.
If you find any hosting sites where your hack works -- um... run away.
They don't know what they're doing. That's probably the best advice
someone can give ya! ;-)
The hosting company that allows that either didn't spend enough time
adequately thinking about the problem, or doesn't have enough social
deviants ("but, the happy kind!") on staff to think them up for them.
LOL.
There's also older (not so great, but workable) techniques like suexec
that can get Apache to run as your user for things like your cgi
directory. From what I read people have a love/hate relationship with
stuff like that. And of course there's always the hack of running
multiple apache's and using the URL to proxy to the correct one via
either a main apache that handles the initial requests (Ick... pbbbt...
eww.) or a hardware load balancer.
That's just some of the WEIRD ways to deal with it... (GRIN)...
Nate Duehr, nate at natetech.com
More information about the clue-tech
mailing list