Bugtraq mailing list archives
Re: An issue with Apache on Debian
From: tymiwi () UTA FI (Mikael Willberg)
Date: Fri, 16 Apr 1999 17:48:14 +0300
On Fri, 9 Apr 1999, Karellen wrote:
That reminds me of something else. On Debian 2.0, after I read the Apache manual I tried that neat example they suggest 'ln -s / ~/public_html' lynx http://localhost/~username -- I actually got to see my root directory! Any user with shell acess could do this and allow people browse through your /etc, /home and what not. To fix this, add the following lines to the top of your /etc/apache/apache.conf. <Directory /> AllowOverride None Options None Order deny,allow Deny from all </Directory>
I don't know what kind of configuration comes with Debian, but I suggest replacing "FollowSymLinks" option with "SymLinksIfOwnerMatch" option to prevent symlink misuse. This option makes the server follow symbolic links only if the link is owned by the same UID as the terget of the link. And here is a little example: <Directory /home> ... Options ... SymLinksIfOwnerMatch ... ... </Directory> Mig -- **** Mikael Willberg ***** "Oh dear", says God, "I hadn't thought of that" ** * Hypermedia laboratory * and promptly vanishes in a puff of logic. * * University of Tampere * (Douglas Adams) * ******** Finland ********* http://www.uta.fi/~tymiwi/ ***********************
Current thread:
- An issue with Apache on Debian Andrei D. Caraman (Apr 05)
- BOA was: An issue with Apache on Debian Stephen Gregory (Apr 05)
- Re: BOA was: An issue with Apache on Debian Leszek Gerwatowski (Apr 08)
- Netscape 4.5 vulnerability Alexey Pavlov (Apr 08)
- <Possible follow-ups>
- Re: An issue with Apache on Debian Karellen (Apr 08)
- Re: An issue with Apache on Debian Mikael Willberg (Apr 16)
- BOA was: An issue with Apache on Debian Stephen Gregory (Apr 05)