|
COMMAND httpd SYSTEMS AFFECTED Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG PROBLEM Kasatenko Ivan Alex. found following. Lately his users helped him to discover one unpleasant feature: a home catalog of ``nobody'' user is "/" on most Mandrake's and RedHat's (any others?). Let's see a setting in the httpd.conf: # UserDir: The name of the directory which is appended onto a user's home # directory if a ~user request is recieved. UserDir ./ .. any user may go to, for example, http://www.malconfigured-host.com/~nobody/etc/ and get a list of files in the /etc catalog. SOLUTION UserDir is actually typically set to public_html - or some such. Never seen a site setup with UserDir set to './' - but needless to say, that's a Very Bad[tm] way to set things up. SuSE Linux used to have user nobody's HOME directory set to /tmp for years. Starting with SuSE-7.0, it will be set to /var/lib/nobody. Apache, as distributed with SuSE, is configured `UserDir public_html' and is therefore not vulnerable for the http://machine/~nobody/-problem. However, SuSE encourage admins to change this user's home using the commands mkdir -p /var/lib/nobody chown nobody.nogroup /var/lib/nobody usermod -d /var/lib/nobody Make sure that you move files belonging to user nobody from the former location to the new home and that you don't rely on the old absolute path in your scripts.