From owner-freebsd-newbies Wed Sep 4 21:39:57 2002 Delivered-To: freebsd-newbies@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6101A37B400 for ; Wed, 4 Sep 2002 21:39:55 -0700 (PDT) Received: from floyd.gnulife.org (floyd.gnulife.org [199.86.41.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id D513743E72 for ; Wed, 4 Sep 2002 21:39:54 -0700 (PDT) (envelope-from jamie@gnulife.org) Received: by floyd.gnulife.org (Postfix, from userid 1000) id 4F6A5432EE; Wed, 4 Sep 2002 23:44:30 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by floyd.gnulife.org (Postfix) with ESMTP id 1F54943280 for ; Wed, 4 Sep 2002 23:44:30 -0500 (CDT) Date: Wed, 4 Sep 2002 23:44:29 -0500 (CDT) From: Billy Joe Jim Bob To: freebsd-newbies@freebsd.org Subject: Security hole with Lynx Message-ID: <20020904234114.Q98124-100000@floyd.gnulife.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-newbies@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've just discovered a security hole in one of my servers. It is FreeBSD 4.5 and I am running Apache on it. I've installed Lynx and the permissions on Lynx are 555, owned by root.wheel. Since it has world executable permission, anyone can download from anyones directory on the machine by simply connecting to localhost. What is the best way to buttun that up so that everyone can use the browser, but not everyone can access anybodys files? - Jamie "If you lose your bearings, your life won't go smoothly." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-newbies" in the body of the message