TUCoPS :: Linux :: Red Hat/Fedora :: httpd9~3.txt

Redhat/Mandrake httpd userdir problems




    Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG


    Kasatenko Ivan Alex. found following.  Lately his users helped him
    to discover one unpleasant  feature: a home catalog  of ``nobody''
    user is "/" on most Mandrake's and RedHat's (any others?).   Let's
    see a setting in the httpd.conf:

        # UserDir: The name of the directory which is appended onto a user's home
        # directory if a ~user request is recieved.

        UserDir ./

    .. any user may go to, for example,


    and get a list of files in the /etc catalog.


    UserDir is actually typically set  to public_html - or some  such.
    Never seen a site setup with UserDir set to './' - but needless to
    say, that's a Very Bad[tm] way to set things up.

    SuSE Linux used to have  user nobody's HOME directory set  to /tmp
    for  years.   Starting  with   SuSE-7.0,  it   will  be   set   to
    /var/lib/nobody.  Apache, as distributed with SuSE, is  configured
    `UserDir  public_html'  and  is  therefore  not vulnerable for the
    http://machine/~nobody/-problem.   However, SuSE  encourage admins
    to change this user's home using the commands

        mkdir -p /var/lib/nobody
        chown nobody.nogroup /var/lib/nobody
        usermod -d /var/lib/nobody

    Make sure that  you move files  belonging to user  nobody from the
    former location to  the new home  and that you  don't rely on  the
    old absolute path in your scripts.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH