LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-03-2002, 03:02 AM   #1
tristan_vdv
LQ Newbie
 
Registered: Nov 2001
Location: Australia
Distribution: RH 7.2
Posts: 17

Rep: Reputation: 0
preventing directory traversal in programs


Hi,
I'm writing a server program for linux where the client gives a username, which is used to construct a path (ie /spool/<user>/), (which is used in functions like fopen,scandir etc)

If there are no restrictions on the user name someone could traverse to different directory , ie /spool/../../etc/

To prevent this happening I have denied the use of a forward slash ('/' -- i think its a forward slash, or is it a bs?--cant remember)

is this all i need to do to make the server secure? or is there some other way of doing a directory traversal without the '/'?

Thanks
Tristan
 
Old 06-03-2002, 08:08 AM   #2
mace
Member
 
Registered: Apr 2002
Distribution: redhat7, 7.1, 7.2, 8.0, mandrake, debian2.2, 3, suse
Posts: 176

Rep: Reputation: 30
interesting question

ive only used the blah.*blah../../../../ trans
 
Old 06-03-2002, 08:22 AM   #3
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966Reputation: 1966
can you not just look into chroot? i guess i should now the slightest thing about it but i still dont
 
Old 06-03-2002, 09:42 PM   #4
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
you should also not run the program suid root, set it up as its own user account, that way it won't have permission to do anything anywere else.
 
Old 06-04-2002, 04:03 AM   #5
tristan_vdv
LQ Newbie
 
Registered: Nov 2001
Location: Australia
Distribution: RH 7.2
Posts: 17

Original Poster
Rep: Reputation: 0
not running as root certainly is the best way to solve the problem. but I want my software to be secure, so i thought i had better run this by you guys to make sure there was no other trick to do directory traversal
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
directory traversal attack porous Linux - Security 5 02-02-2005 09:48 PM
nat-traversal egarnel Linux - Networking 0 09-02-2004 10:31 AM
home directory permissions get reset periodically, preventing use of apache UserDir rennard Linux - Security 2 08-03-2004 07:21 PM
What directory do I install new programs jkruer01 Linux - Newbie 1 04-05-2004 07:11 PM
recursive directory traversal klfreese Linux - Newbie 2 08-20-2003 07:27 PM


All times are GMT -5. The time now is 12:30 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration