On Mon, Sep 24, 2001 at 07:37:18PM +0200, Petr Baudis wrote: > > Like you can see, the sess_ files permissions are -rw------- for user > > root or www-data (like ja apache is installed) > > All other users can't read the info (non of the same group nor the other > > users) > > > > only the user running the apache server itself > > so show me where the security leak is ? > > I think its normal that apach itself can read the file and no one else > > can! > Well, IMHO storing a plain-text password is a problem anyway, and against > the 'good-practices'. Tell me, why passwords are usually stored only in > md5 hash form in /etc/shadow? It's readable only for root, so should be > no problem ;-). > > Possible intruder which will gain apache's privilegies, can read the file > and get the plaintext passwords *very* easily, w/o running any brute-force > decoder on them. And that's a Bad Thing (tm). > As it has been said before -- this is not a problem with apache. Apache doesn't write sess_whatever files...php does when using sessions. If the initial emailer were concerned about where the files are being put they can edit 'session.save_path' in php.ini. That is if they're using php (just seems to be the likely thing...) -- Carl Schmidt Just like the pied piper led rats through the streets We dance like marionettes swaying to the symphony of destruction http://slackerbsd.org/
This archive was generated by hypermail 2b30 : Tue Sep 25 2001 - 03:28:09 PDT