Mac OS X 10.2.4 update erstatter Apache HTTP httpd.conf filen!

From: Henrik Lund Kramshøj (none@hlk--kramse.dk.lh.bsd-dk.dk)
Date: Sat 22 Feb 2003 - 22:48:33 CET

Next message: Henrik Lund Kramshøj: "OSX printer tips"
Previous message: jonasbn: "Re: hmm posten er underlig, wrap af linier i Mail.apppå OSX 10.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Date: Sat, 22 Feb 2003 22:48:33 +0100
Subject: Mac OS X 10.2.4 update erstatter Apache HTTP httpd.conf filen!
From: Henrik Lund Kramshøj <none@hlk--kramse.dk.lh.bsd-dk.dk>
To: osx@bsd-dk.dk

Hej Rødder

Jeg blev lige husket på en lille ting ved Mac OS X 10.2.4 update

httpd.conf bliver erstattet med en ny version ved denne update.

Den gamle bliver kopieret til httpd.conf.applesaved og det er
ret nemt at gå ned i /private/etc/httpd
Lave en diff, eller blot flytte sin egen tilbage.

Det er nok for de fleste en lille generende ting, eksempelvis
hvis man er webudvikler eller tilsvarende, men det kan som
nævnt nedenfor give anledning til en sikkerhedsbrist hvis
de "nye" indstillinger efterlader den kørende server åben!

Mvh

Henrik

Uddrag af den RISKS mail som huskede mig på ændringen

RISKS-LIST: Risks-Forum Digest Tuesday 18 February 2003 Volume 22 :
Issue 56

Date: Fri, 14 Feb 2003 10:56:43 -0600
From: Lawrence Brenninkmeyer <none@ldb--northwestern.edu.lh.bsd-dk.dk>
Subject: MacOS 10.2.4 update & httpd.conf replacement

The Mac OS X operating system is a work in progress. Users are treated
to
small upgrades every one or two months that fix bugs, improve security,
and
occasionally provide increased functionality. Presumably in an effort
to
add functionality to the built-in Apache server, the latest update
installs
a brand new httpd.conf file. This is file that tells the Apache server
how
to configure itself (which modules to load, where the root directory is,
etc.) The update kindly (and silently) saves the original httpd.conf as
httpd.conf.applesaved. The risk is that replacing the original, not
telling
anyone, and then leaving the server active on restart can lead to a
breach
of security. One of the things that you can use the httpd.conf file
for is
to govern which directories are password protected and which are not
[1].
This information is not retained in the new httpd.conf, so directories
that
were password protected are opened to the world after the update has
been
installed.

The risks are obvious, and so are the solutions. At a minimum, they
should
have disabled Apache on startup and presented the user with a dialog box
informing them of the change.

[1] Apache httpd documentation: Basic Security
<http://httpd.apache.org/docs/howto/auth.html#basic>

<http://pubweb.northwestern.edu/~ldb371/>

--
Henrik Lund Kramshøj, hlk@kramse.dk
Freelance consultant seeking work, see www.security6.net

Next message: Henrik Lund Kramshøj: "OSX printer tips"
Previous message: jonasbn: "Re: hmm posten er underlig, wrap af linier i Mail.apppå OSX 10.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:25:13 CET