 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> In other words, it stores more than email messages in a central
> database. Still conceptually the same deal, just with a few minor
> details on top.
No, not really. Shared stuff like calendars is not conceptually the same as
a central email store. What exchange does is inherently hard to get right
because (in part) of the administration/configuration problem and in part
because of the shared part.
A centralized email server isn't sharing anything between users, nor
updating things already in the database.
> Well, when somebody says that two identical things are not, in fact,
> identical, I ask what they think is different...
No. You say "Apache is notable for doing the same thing as IIS", not "What
does IIS do that Apache doesn't?"
>> How can you be IT support for a windows-based company and not
>> understand the terms "windows logins" and "remote administration"?
>
> I don't see what "windows logins" have to do with a generic web server,
> that's all.
Have you ever used an intranet application where you had to log in to the
web page? It means it uses the Active Directory kerberos password stuff to
let you log into web pages.
MS SQL server allows this too.
>>>>> (Aside from giving root access to anybody who types their URLs with
>>>>> backslashes instead of forward slashes...)
>>>>
>>>> Cite?
>>>
>>> I *think* this is the correct one:
>>>
>>>
https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/HTTP:IIS:ASP-DOT-NET-BACKSLASH.html
>>
>>
>> And where does it say anything about root access there?
>
> It says that you can "bypass all security controls". How is that
> different from root access?
Where do you see it say "bypass all security controls"? I see it say "bypass
ASP.NET authentication capabilities". I see "bypass authentication required
to access files in secured directories."
What this bug is, in practice, is a way to go
"http://blah.com/yadda\..\..\hello.txt"
and get out of the DocumentRoot defined by the web server. For example, they
could use
"http://blah.com/yadda\..\..\cgi\script.php"
to see the source of your PHP CGI script.
Still not root access.
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
>
> Apache doesn't have remote administration, as far as I know. Linux has
> remote stuff in general,
Well yes, most remote administration tools for Linux AFAIK handles
multiple thingies, not just one software. Apache doesn't have one
built-in, that much is true.
> but you actually have to log into the machine
> running Apache to restart it,
I do believe that Windows and IIS also require authentication to do such
things :-). Yes, AD makes it pretty easy, while both machines (web
server and your workstation) authenticate from the same servers and with
the same instance. And yes, I believe one can handle such thing eg. via
Webmin. Mind you, running Apache on Windows might raise problems on this
view, since AFAIK most remote administration tools for Linux won't work
with it.
> and you have to look at the files that
> Apache instance is reading to change the configuration.
If you do, you're not the usual admin of that server. Admin should know
where particular instance is configured :-). Also in Windows, if you get
a new already running server to admin with multiple instances of same
daemons, you'll need to check which one is which.
> There's no tool for Apache, as far as I know, that lets you change the
> configuration on 300 distributed web servers and then sequence a restart
> of them in such a way that you're not killing anyone's page-serve as the
> servers restart. You have to roll your own using scp (or shared
> directories holding the configuration), ssh, etc. You can't turn off an
> Apache server without logging into the machine where it's running, and
> you cant change the configuration without logging into whatever machine
> is holding the configuration files.
>
Well yes, I either don't know about distributed administration for
Apache, but that's a whole another level than just remote administration.
-Aero
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
>
> If I'm not mistaken, HTML was a standard long before M$ started adding
> nonportable attributes and entities.
>
IIRC Netscape was the one to start adding off-standard things to HTML.
-Aero
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> In other words, it stores more than email messages in a central
>> database. Still conceptually the same deal, just with a few minor
>> details on top.
>
> No, not really. Shared stuff like calendars is not conceptually the same
> as a central email store. What exchange does is inherently hard to get
> right because (in part) of the administration/configuration problem and
> in part because of the shared part.
So instead of sharing datestamped messages and displaying them as
emails, you share datestamped messages and display them as calendar
appointments. Big deal.
> A centralized email server isn't sharing anything between users, nor
> updating things already in the database.
OK, so it's the sharing of stuff (whatever it may be) between multiple
users that's the hard part. (Especially when each user potentially has
an offline cache of the database.) That *is* in fact nontrivial, yes. I
still thing it's hardly insummountable though. (Hell, M$ did it, and
they know nothing about anything...)
>> I don't see what "windows logins" have to do with a generic web
>> server, that's all.
>
> Have you ever used an intranet application where you had to log in to
> the web page? It means it uses the Active Directory kerberos password
> stuff to let you log into web pages.
>
> MS SQL server allows this too.
We have a couple of 3rd party applications that do this. Apparently they
all word by using something called LDAP (which is an open standard). You
don't need a special feature of the web server just for that. Indeed, we
have non-web apps that do the same trick... Some of them aren't even on
Windows.
>>> And where does it say anything about root access there?
>>
>> It says that you can "bypass all security controls". How is that
>> different from root access?
>
> Where do you see it say "bypass all security controls"? I see it say
> "bypass ASP.NET authentication capabilities". I see "bypass
> authentication required to access files in secured directories."
>
> What this bug is, in practice, is a way to go
> "http://blah.com/yadda\..\..\hello.txt"
> and get out of the DocumentRoot defined by the web server. For example,
> they could use
> "http://blah.com/yadda\..\..\cgi\script.php"
> to see the source of your PHP CGI script.
>
> Still not root access.
According to the blog where I first saw this mentioned, if you do
http://example.com/priv/file1
it asks for a username and password due to the security settings on that
folder. However, if you do
http://example.com\priv\file1
it just serves the file, bypassing the security. This is apparently due
to something about the way IIS works internally. (Something like
all-access being the default, and restricted-access files being listed
somewhere, and the name string in the URL not matching anything in the
restrictions list. In other words, it fails-open rather than
failing-closed...)
Either way, I'm sure this *specific* bug has long since been fixed. But
the fact that such a simple and obvious bug happened in the first place
isn't very reassuring. (You would surely have thought that throwing
weird URLs at the server would be one of the very first things to check
during testing... assuming M$ does that...)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Eero Ahonen wrote:
> Well yes, most remote administration tools for Linux AFAIK handles
> multiple thingies, not just one software.
Can you tell me a good remote administration suite for Linux machines?
Something that will, say, let me install software on a bunch of desktop
machines, show me what's installed there, update things, make backups,
restore data, and so on?
> I do believe that Windows and IIS also require authentication to do such
> things :-).
Sure, but it's trivial and I don't have to do it by logging in, is what I
meant. It's pretty trivial even without AD.
>> and you have to look at the files that
>> Apache instance is reading to change the configuration.
>
> If you do, you're not the usual admin of that server.
I mean, Apache reads a file for its configuration. The file is either local
to the machine, or on a network-shared directory.
> Well yes, I either don't know about distributed administration for
> Apache, but that's a whole another level than just remote administration.
Sure. My point is that Linux doesn't really have remote administration. It
has remote access to the local administration. Often just as good or better,
but you need the right tools to make that easier.
You can't remotely reboot a Linux machine without logging into it, for
example. But once you log in, you can do anything you could do if you were
sitting there. (Of course, the latter is true of Windows, too.)
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> So instead of sharing datestamped messages and displaying them as
> emails, you share datestamped messages and display them as calendar
> appointments. Big deal.
Well, no. Because it's coordinated, you see. Plus it has to be machine
readable, which is obviously non-trivial given it doesn't really work
cross-platform.
>> A centralized email server isn't sharing anything between users, nor
>> updating things already in the database.
>
> OK, so it's the sharing of stuff (whatever it may be) between multiple
> users that's the hard part. (Especially when each user potentially has
> an offline cache of the database.)
Yes. Otherwise, it's just IMAP.
> We have a couple of 3rd party applications that do this. Apparently they
> all word by using something called LDAP (which is an open standard). You
> don't need a special feature of the web server just for that.
How do I configure Apache to do that?
> According to the blog where I first saw this mentioned, if you do
>
> http://example.com/priv/file1
>
> it asks for a username and password due to the security settings on that
> folder. However, if you do
>
> http://example.com\priv\file1
>
> it just serves the file, bypassing the security.
That's *still* not root access. That's serving a file without the web server
asking permission to serve the file. You're bypassing the web server's
security list, not the OS's security list.
> Either way, I'm sure this *specific* bug has long since been fixed. But
> the fact that such a simple and obvious bug happened in the first place
> isn't very reassuring.
And you know what? In the early versions of Netscape, if your web browser
his a URL that read "telnet:;rm -rf ~" you'd lose all your files, because it
just changed the first colon to a space and passed it to the shell as a
command. Everyone makes stupid errors.
--
Darren New, San Diego CA, USA (PST)
"We'd like you to back-port all the changes in 2.0
back to version 1.0."
"We've done that already. We call it 2.0."
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
>
> Can you tell me a good remote administration suite for Linux machines?
I can't tell you if it's *good* (I haven't tested), but one such suite
is Webmin. I have seen couple of others too, but I can't remember the
names. If I had bunch of machines to care about, I would search test those.
> Something that will, say, let me install software on a bunch of desktop
> machines, show me what's installed there, update things, make backups,
> restore data, and so on?
Distributed administration again? I don't know if those remote admin
suites handle multiple computers with one command.
> Sure, but it's trivial and I don't have to do it by logging in, is what
> I meant. It's pretty trivial even without AD.
Basically that trivialism comes from Windows's habit to try to access
another computer with the username and password you're currently logged
in with. I don't know any other system that does that, but increasing
number of software that allow saving passwords.
> I mean, Apache reads a file for its configuration. The file is either
> local to the machine, or on a network-shared directory.
Yes.
> Sure. My point is that Linux doesn't really have remote administration.
> It has remote access to the local administration. Often just as good or
> better, but you need the right tools to make that easier.
There are remote admin softwares, but because as you say, remote login
is usually at least as good, they are pretty unknown and silent
projects. Distributed admin (eg. "install software X to machins A, B and
C") is something that surely would be useful and would outuseful remote
login in many cases.
> You can't remotely reboot a Linux machine without logging into it, for
> example. But once you log in, you can do anything you could do if you
> were sitting there. (Of course, the latter is true of Windows, too.)
Eg. Webmin has reboot possibility. If logging in to Webmin equals
logging on to the machine, then yes.
-Aero
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
>
>> We have a couple of 3rd party applications that do this. Apparently
>> they all word by using something called LDAP (which is an open
>> standard). You don't need a special feature of the web server just for
>> that.
>
> How do I configure Apache to do that?
>
Install mod_auth_ldap:
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html
and dig some easy information from eg. here:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html
or a bit more info from here:
http://www.linux.com/archive/feature/120050
and if that's not enough, just use the correct keywords:
http://www.google.com/search?q=Apache+LDAP+authentication
:-)
-Aero
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sun, 12 Jul 2009 08:25:52 -0700, Darren New wrote:
> Sure. My point is that Linux doesn't really have remote administration.
That depends on how you define "remote administration" - webmin provides
remote administration (for example)....
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Your university probably didn't pay for the big version that has all that
> stuff, too.
Haha no, at my University we wrote our C++ in emacs on Unix dumb terminals
:-)
We had some version or VS at work a while back, but I gave up on it and just
use the Express version now as I hardly do anything very big or complex.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
