It looks like we need this...
> >From whitis Wed Nov 9 06:05:08 1994
> Subject: Security patch for HTTPD 1.3
> To: httpd@ncsa.uiuc.edu
> Date: Wed, 9 Nov 1994 06:05:08 -0500 (EST)
> Cc: cert@cert.org, mike (Michael M. Chapman), jeg7e (Jon Gefaell),
> rdunbar@nasm.edu, juphoff@polaris.cv.nrao.edu
> X-Mailer: ELM [version 2.4 PL24]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
> Content-Length: 4839
> Status: R
>
> This message contains a patch for NCSA httpd version 1.3 that
> allows the server maintainer to close a security hole without
> substantially restricting the functionality of the server on
> many systems.
>
> The NCSA httpd (versions 1.1 to 1.3) has a known security bug that if
> you enable symbolic links in the options directive for a particular
> directory subtree (or fail to specify an options directive for
> a particular directory), users can create symbolic links in their
> public_html directories which point to dangerous places such as
> "/", or "/etc", allowing them (and anyone else) to read ANY file
> on the system (such as shadow password files) when the httpd
> is running as root (which is the case if httpd is called by inetd
> regardless of what user you specify for httpd to run as in httpd.conf).
>
> This security hole can be closed by specifying an options directive
> which does not allow symbolic links or which only allows symbolic
> links if the owners match (SymLinksIfOwnerMatch). Unfortunately,
> if some or all users on the system have symbolic links for their
> home directories (i.e. /home/user --> /disk1/user), the httpd will
> refuse to allow access to those directories if you restrict symbolic
> links for the appropriate directory trees (i.e. /home or /home/*/.html/*)
> although it will work if you create individual entries for each
> affected user in access.conf (i.e. /home/user1, /home/user2). This
> is simply not practical on many systems.
>
> In actual practice, I have been able to exploit this bug on every
> system I have an account on which runs httpd from inetd. Furthermore,
> on virtually all of the systems I normally use, it is not practical
> to close this security hole without applying this patch.
>
> This patch allows httpd to follow symbolic links if you specify
> the "SymLinksIfOwnerMatch" option and the link points to a file/directory
> owned by the owner of the link (original behavior) OR if the
> link is owned by root.
>
> This patch has not been thoroughly tested; it does, however,
> seem to work precisely as intended.
>
> In addition to applying this patch, it is necessary to create
> entries in access.conf to specify appropriate options directives
> for any directories owned by untrusted users which srm.conf
> allows access to and for trusted users to exercise appropriate
> caution in less restricted directories.
>
> This patch does not solve the problem that if you do not specify
> a directory tree in access.conf but do allow access to that
> directory via srm.conf, the default options are "all". This
> requires careful maintenance of the configuration files.
>
> This active presence of this security hole was brought to my attention by
> Mike Chapman (mike@hopper.itc.virginia.edu).
>
> - Mark Whitis (whitis@nasm.edu)
>
> ---------------------- cut here ------------
*** http_access.c.orig Wed Nov 9 04:36:16 1994
--- http_access.c Wed Nov 9 05:07:06 1994
***************
*** 5,11 ****
*
*/
!
#include "httpd.h"
int in_domain(char *domain, char *what) {
--- 5,18 ----
*
*/
! /* Changes made by Mark Whitis (whitis@nasm.edu) 11/9/94 to allow */
! /* server to follow symbolic links owned by root. This is necessary */
! /* if you have symbolic links of the form /home/user --> /bigdisk/user */
! /* but want to deny ordinary users the ability to create symbolic links */
! /* to files they don't own (such as /etc). You must allow symbolic*/
! /* links if owner matches for this patch to help you. Do not allow */
! /* access to user mountable filesystems in your access.conf file */
! /* or someone could create a symbolic link owned by root. */
#include "httpd.h"
int in_domain(char *domain, char *what) {
***************
*** 156,162 ****
getparents(realpath);
}
lstat(realpath,&fi);
! if(fi.st_uid != lfi.st_uid)
goto bong;
}
else {
--- 163,169 ----
getparents(realpath);
}
lstat(realpath,&fi);
! if((fi.st_uid != lfi.st_uid) && (lfi.st_uid!=0))
goto bong;
}
else {
***************
*** 202,208 ****
getparents(realpath);
}
lstat(realpath,&lfi);
! if(fi.st_uid != lfi.st_uid)
goto gong;
}
else {
--- 209,215 ----
getparents(realpath);
}
lstat(realpath,&lfi);
! if((fi.st_uid != lfi.st_uid) && (lfi.st_uid!=0))
goto gong;
}
else {
> >From whitis Wed Nov 9 06:05:08 1994
> Subject: Security patch for HTTPD 1.3
> To: httpd@ncsa.uiuc.edu
> Date: Wed, 9 Nov 1994 06:05:08 -0500 (EST)
> Cc: cert@cert.org, mike (Michael M. Chapman), jeg7e (Jon Gefaell),
> rdunbar@nasm.edu, juphoff@polaris.cv.nrao.edu
> X-Mailer: ELM [version 2.4 PL24]
> MIME-Version: 1.0
> Content-Type: text/plain; charset=US-ASCII
> Content-Transfer-Encoding: 7bit
> Content-Length: 4839
> Status: R
>
> This message contains a patch for NCSA httpd version 1.3 that
> allows the server maintainer to close a security hole without
> substantially restricting the functionality of the server on
> many systems.
>
> The NCSA httpd (versions 1.1 to 1.3) has a known security bug that if
> you enable symbolic links in the options directive for a particular
> directory subtree (or fail to specify an options directive for
> a particular directory), users can create symbolic links in their
> public_html directories which point to dangerous places such as
> "/", or "/etc", allowing them (and anyone else) to read ANY file
> on the system (such as shadow password files) when the httpd
> is running as root (which is the case if httpd is called by inetd
> regardless of what user you specify for httpd to run as in httpd.conf).
>
> This security hole can be closed by specifying an options directive
> which does not allow symbolic links or which only allows symbolic
> links if the owners match (SymLinksIfOwnerMatch). Unfortunately,
> if some or all users on the system have symbolic links for their
> home directories (i.e. /home/user --> /disk1/user), the httpd will
> refuse to allow access to those directories if you restrict symbolic
> links for the appropriate directory trees (i.e. /home or /home/*/.html/*)
> although it will work if you create individual entries for each
> affected user in access.conf (i.e. /home/user1, /home/user2). This
> is simply not practical on many systems.
>
> In actual practice, I have been able to exploit this bug on every
> system I have an account on which runs httpd from inetd. Furthermore,
> on virtually all of the systems I normally use, it is not practical
> to close this security hole without applying this patch.
>
> This patch allows httpd to follow symbolic links if you specify
> the "SymLinksIfOwnerMatch" option and the link points to a file/directory
> owned by the owner of the link (original behavior) OR if the
> link is owned by root.
>
> This patch has not been thoroughly tested; it does, however,
> seem to work precisely as intended.
>
> In addition to applying this patch, it is necessary to create
> entries in access.conf to specify appropriate options directives
> for any directories owned by untrusted users which srm.conf
> allows access to and for trusted users to exercise appropriate
> caution in less restricted directories.
>
> This patch does not solve the problem that if you do not specify
> a directory tree in access.conf but do allow access to that
> directory via srm.conf, the default options are "all". This
> requires careful maintenance of the configuration files.
>
> This active presence of this security hole was brought to my attention by
> Mike Chapman (mike@hopper.itc.virginia.edu).
>
> - Mark Whitis (whitis@nasm.edu)
>
> ---------------------- cut here ------------
*** http_access.c.orig Wed Nov 9 04:36:16 1994
--- http_access.c Wed Nov 9 05:07:06 1994
***************
*** 5,11 ****
*
*/
!
#include "httpd.h"
int in_domain(char *domain, char *what) {
--- 5,18 ----
*
*/
! /* Changes made by Mark Whitis (whitis@nasm.edu) 11/9/94 to allow */
! /* server to follow symbolic links owned by root. This is necessary */
! /* if you have symbolic links of the form /home/user --> /bigdisk/user */
! /* but want to deny ordinary users the ability to create symbolic links */
! /* to files they don't own (such as /etc). You must allow symbolic*/
! /* links if owner matches for this patch to help you. Do not allow */
! /* access to user mountable filesystems in your access.conf file */
! /* or someone could create a symbolic link owned by root. */
#include "httpd.h"
int in_domain(char *domain, char *what) {
***************
*** 156,162 ****
getparents(realpath);
}
lstat(realpath,&fi);
! if(fi.st_uid != lfi.st_uid)
goto bong;
}
else {
--- 163,169 ----
getparents(realpath);
}
lstat(realpath,&fi);
! if((fi.st_uid != lfi.st_uid) && (lfi.st_uid!=0))
goto bong;
}
else {
***************
*** 202,208 ****
getparents(realpath);
}
lstat(realpath,&lfi);
! if(fi.st_uid != lfi.st_uid)
goto gong;
}
else {
--- 209,215 ----
getparents(realpath);
}
lstat(realpath,&lfi);
! if((fi.st_uid != lfi.st_uid) && (lfi.st_uid!=0))
goto gong;
}
else {