Discussion About Unix Links
Usually WWW servers providing protected information also want to
provide public information. Since the information about which document
files are protected cannot reside in the same file as the document
itself, the Unix links (both soft and hard) pose a serious safety
problem, because with them it is possible to make a file appear in
some other directory than where it really resides.
Description of How to Override the Protection
- Make a document.
- Make a Unix (soft or hard) link to the protected document
(has to be on the same machine, of course).
- From your own document make a hypertext link to the newly
created Unix link.
- You can now access the protected document by following the
hypertext link in your own document.
As you can see, in order to gain illegal access to protected
documents, the person has to have an account in the same machine as
the document resides. Also, the Unix link must be put under the real
WWW server on that machine, not just a privately run copy of it
(because otherwise it would not have Unix read access to the protected
documents). Thus, just everybody cannot override the access
authorization system even with the weak spot existing.
However, the worst thing about this is the fact that it is not just
the creator of the Unix link who gains access to the protected data,
but in fact every person, who can access that file (link) through the
Web (and that's the entire world).
The problem originates from the fact that the WWW server has Unix
access to both protected and public documents, and IT has to resolve
whether it is in fact protected or public, and the underlying Unix
file system certainly doesn't make it any easier.
Unix links have caused similar trouble
before, too.
Solution in CERN Daemon
Obviously the simplest and safest solution is to run the server under
such a user-id that has access to documents of one collaboration, but
not any others. Because the server has to be able to serve documents
of multiple collaborations it runs first as root
, and
sets its process user and group ids just before serving the request.
AL 12 December 1993