www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jonathan Hunter <...@ninja.ml.org>
Subject config/724: After following security tips, / is still browseable
Date Thu, 12 Jun 1997 13:00:03 GMT

>Number:         724
>Category:       config
>Synopsis:       After following security tips, / is still browseable
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Thu Jun 12 06:00:01 1997
>Originator:     jon@ninja.ml.org
>Organization:
apache
>Release:        1.2.0
>Environment:
Linux hilly 2.0.30 #4 Fri Jun 6 20:17:31 BST 1997 i486

Possibly relevant stuff:
  Quota support installed,
  /usr and / are different filesystems,
  Virtual hosts in use.
>Description:
Hi!

I hope this is just me being thick, or doing something wrong...

I followed the instructions on the "Security tips" page, but users can still
make symbolic links enabling the root directory to be viewed :-(

>From what I understand, this should not be the case?
>How-To-Repeat:
Here are the steps I took:

# ln -s / /home/[innocentuser]/public_html

Then I edited conf/access.conf to include:

<Directory />
  Order deny,allow
  Deny from all
</Directory>
# Now we have to explicitly enable access to home directories:
<Directory /home/*/public_html>
  Order deny,allow
  Allow from all
</Directory>

Unfortunately, if I include the second <Directory> directive, then on viewing
http://localhost/~innocentuser/ I get a full directory listing of / :-(
>Fix:
I suspect this is to do with Apache's symbolic link handling - is there a directive
to stop Apache following links in home directories, say, that would take it outside
the allowed directory structure?

Thanks,

Jonatha
>Audit-Trail:
>Unformatted:



Mime
View raw message