lynx-dev
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: lynx-dev -anonymous broken in 2.8.4?


From: Henry Nelson
Subject: Re: lynx-dev -anonymous broken in 2.8.4?
Date: Mon, 9 Sep 2002 16:02:05 +0900 (JST)

> > Do people who run anonymous Lynx services build customized Lynx binaries

When I still offered a public access Lynx (I shut it down permanently well
over a year ago.), I built a Lynx specifically for that purpose.  I would
definitely advise against anyone sharing a binary for known users and
anonymous users.

> > that some admins may choose to build a separate Lynx binary to be used
> > _only_ for their anon Lynx service, in which case they would be wise to
> > compile dangerous options right out of the program.

I can see no other way for anyone concerned about the security of their
system.  In addition, I would recommend very rigorous exercising of any
new build before it is offered to the public for execution.

> currently there is no way to compile out access to file:/// urls,
> wihtout seriously mucking about with the code. Being able to hard code
> in a list of restrictions would be a "simple" way to enable such a
> thing without having to have an even longer list of:
> CAN_ANONYMOUS_<whatever> FALSE

Is the list in userdefs.h all that long now?  When I was doing it, it
was pretty simple to throw an anonymous access specific patch on it.
If `` #define CAN_ANONYMOUS_GOTO_FILE         FALSE '' is set in
userdefs.h, then the anonymous user cannot access file:// urls baring
a bug in lynx.

> Also at least for myself the anonymous lynx client doesn't use the
> anonymous switch but is instead run by the anonymous user.

Glad to hear it!  If anyone on this list is running a public access binary
with no anonymous user defined and only relying on the anonymous switch, don't.

__Henry

; To UNSUBSCRIBE: Send "unsubscribe lynx-dev" to address@hidden

reply via email to

[Prev in Thread] Current Thread [Next in Thread]