Re: [mod-security-users] Idea/feature request
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iv...@we...> - 2004-08-23 12:40:57
|
Vincent Deffontaines wrote: > Greetings, > > What if mod_security would, by default, deny access to files that are > 777/writable by the httpd user? Could be considered an interesting > feature, especially if it could be setup on a file per file basis, with > the usual apache inheritance system... It is a very good idea, similar to the PHP safe mode functionality. It would probably prevent a whole class of attacks targeted toward the exploitation of configuration weaknesses, and application filesystem-writing vulnerabilities. There will be a small performance penalty but once we get past that there are other checks that can be added too. For example, the web server could refuse to serve files that are owned by users other than one named user (I was thinking about the infamous apache.org compromise a while back). > I have no clue whether this would be possible to implement into > mod_security, as it doesn't manipulate filesystem objects (or does it?) It is possible, and I don't think it will be particularly difficult. Thanks for the tip, I've added this feature to my TODO list. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |