Curious symlink problem with Apache -- FC12

Robert Moskowitz rgm at htt-consult.com
Wed Nov 3 16:30:21 UTC 2010


On 11/03/2010 11:56 AM, Tim wrote:
> On Wed, 2010-11-03 at 11:27 -0400, Robert Moskowitz wrote:
>    
>> This is NOT a publicly facing server. It is behind my firewall (A
>> Juniper SSG5) on a subnet that has very limited outside access. Other
>> subnets here have limited access to this subnet. This server is
>> running the Amahi.org setup and serves as a PDC to clients on its
>> subnet, and some Amahi apps for all local subnets. I am adding the
>> repo services for the local devices (on its subnet) and so I can
>> rebuild my main repo server. So though I am a bit concerned about
>> SELinux being disabled, I am not too worried.
>>      
> Just to remove any ambiguity:  If the only outside access to a computer
> is via the webserver software on port 80, then the computer is still
> *potentially* vulnerable.  A computer can be hacked through flaws in the
> webserver.  Merely blocking off other ports (e.g. SSH) is only being
> partially protective.
>    

Yeah. I am aware of that. It would take an island hopping attack. One of 
my outward facing servers would have to go and it in turn go after this 
server. I am just a little guy. I am behind on some updates but working 
to get current. Plus move to DNSEC for my domain...

I do have one Amahi server partially open, it runs my mail service and 
SquirrelMail. So 25, 587, 110 and 443 are open. So I do run SELinux on 
this one.

> Having said that, it would depend on what the webserver could do, as to
> whether anybody else could wreak havoc.  If it only served flat HTML
> files, they'd have to find a security hole in Apache to cause you
> problems.  The typical Achilles heel is flawed scripts (other programs)
> being running through the server (CGI, PHP, et al).
>
>    


More information about the users mailing list