httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: security bug in 1.1.3?
Date Fri, 21 Feb 1997 23:10:30 GMT
I would not call it a bug, just a historical misfeature.

I think the thought is that if you specify a directory as being accessable
(eg. DocumentRoot or UserDir) then the server assumes that you really do
want to serve files from there; you have already said it once, so why say
it again.  If you don't specify any special setup, then you get
"reasonable" defaults. 

This is not necessarily the best behavior in all cases, as your example
illustrates.  However, I'm not sure that can easily be changed right now
for backwards compatability sake.

Perhaps this should either be added as a note to the UserDir directive or
perhaps in the security tips document (which could be greatly expanded...
when someone has the time...) with a link from the UserDir directive.

On Fri, 21 Feb 1997, Michael Douglass wrote:

> I haven't heard anyone in BUGTRAQ or BOS mention this so I thought I'd
> bring it up.  I had several web servers running apache 1.1.3 where I
> had the UserDir set to ./ so that the users home page would literally
> be their home directory.  (The machine is web only and they ftp their
> pages in--so this is not a problem).
> I had access.conf configured to give permissions to the directories where
> the documents existed, etc. and assumed that the default permission was
> DENY for any directories not listed in access.conf.  It appears this is
> not the case as I had to put a literal <Directory /> with a <Limit> denying
> from all.
> The problem here was that you could do ~root and get /./ and the access.conf
> file would not deny this action.  (The servers do not run as root, but this
> is *still* generally not a good idea.)
> I could be wrong in assuming that if the directory is not specified in
> access.conf that the default would be DENY-----but that makes too much
> sense to me.  Why would DEFAULT behavior for an unlisted directory hiearchy
> be to allow instead of deny?
> Michael Douglass
> Texas Networking, Inc.
>  "The past is a foreign country; they do things differently there."
>       L. P. Hartley, British author. The Go-Between, Prologue (1953).

View raw message