Re: [Full-disclosure] Apache suEXEC privilege elevation / inform
Agreed. Many sites limit users to at most SymLinksIfOwnerMatch for that
very reason, not to mention limits on CGI privileges. AllowSymlinks,
IMO, ought to be reserved for the sysadmin on the server and used
sparingly. You can, of course, even require .htaccess configurations to
be set in the server's configuration files instead of in the user
account areas (in conjunction with the AllowOverride None setting).
--Tobias
On 8/11/2013 7:52 AM, Michal Zalewski wrote:
>> for doing this features in httpd.conf you can use AllowOverride None instead
>> of AllowOverride all
> AllowSymlinks is a red herring here (hardlinks should do, unless you
> have stuff partitioned in a very thoughtful way, which most don't),
> similarly to suexec.
>
> In general, sharing web hosting providers that allow shell access or
> scripting are pretty much boned in a myriad of ways.
>
> /mz
討論串 (同標題文章)
完整討論串 (本文為第 10 之 32 篇):