Discussion About Unix Links

Usually WWW servers providing protected information also want to provide public information. Since the information about which document files are protected cannot reside in the same file as the document itself, the Unix links (both soft and hard) pose a serious safety problem, because with them it is possible to make a file appear in some other directory than where it really resides.

Description of How to Override the Protection

As you can see, in order to gain illegal access to protected documents, the person has to have an account in the same machine as the document resides. Also, the Unix link must be put under the real WWW server on that machine, not just a privately run copy of it (because otherwise it would not have Unix read access to the protected documents). Thus, just everybody cannot override the access authorization system even with the weak spot existing.

However, the worst thing about this is the fact that it is not just the creator of the Unix link who gains access to the protected data, but in fact every person, who can access that file (link) through the Web (and that's the entire world).

The problem originates from the fact that the WWW server has Unix access to both protected and public documents, and IT has to resolve whether it is in fact protected or public, and the underlying Unix file system certainly doesn't make it any easier.

Unix links have caused similar trouble before, too.

Solution in CERN Daemon

Obviously the simplest and safest solution is to run the server under such a user-id that has access to documents of one collaboration, but not any others. Because the server has to be able to serve documents of multiple collaborations it runs first as root, and sets its process user and group ids just before serving the request.

AL 12 December 1993