[10251] in bugtraq
Re: An issue with Apache on Debian
daemon@ATHENA.MIT.EDU (Mikael Willberg)
Fri Apr 16 16:40:36 1999
Date: Fri, 16 Apr 1999 17:48:14 +0300
Reply-To: Mikael Willberg <tymiwi@UTA.FI>
From: Mikael Willberg <tymiwi@UTA.FI>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990409004814.A5290@congress.codec.ro>
On Fri, 9 Apr 1999, Karellen wrote:
>
> That reminds me of something else. On Debian 2.0, after I read the Apache
> manual I tried that neat example they suggest 'ln -s / ~/public_html'
> lynx http://localhost/~username -- I actually got to see my root directory!
> Any user with shell acess could do this and allow people browse through your
> /etc, /home and what not. To fix this, add the following lines to the top of
> your /etc/apache/apache.conf.
>
> <Directory />
> AllowOverride None
> Options None
> Order deny,allow
> Deny from all
> </Directory>
I don't know what kind of configuration comes with Debian, but I suggest
replacing "FollowSymLinks" option with "SymLinksIfOwnerMatch" option to
prevent symlink misuse. This option makes the server follow symbolic links
only if the link is owned by the same UID as the terget of the link. And
here is a little example:
<Directory /home>
...
Options ... SymLinksIfOwnerMatch ...
...
</Directory>
Mig
--
**** Mikael Willberg ***** "Oh dear", says God, "I hadn't thought of that" **
* Hypermedia laboratory * and promptly vanishes in a puff of logic. *
* University of Tampere * (Douglas Adams) *
******** Finland ********* http://www.uta.fi/~tymiwi/ ***********************
