Problems serving user home pages using NCSA httpd 1.4.1

Problems serving user home pages using NCSA httpd 1.4.1

Post by Richard Eckm » Wed, 07 Jun 1995 04:00:00



  I'm having problems getting my NCSA httpd to serve user-supplied
html files.  My error log keeps giving errors like:

[Tue Jun  6 08:04:29 1995] httpd: access to /usr8/users/eckman/public_html/publi
c_html/index.html failed for xyz.xxx.nasa.gov, reason: file permissions deny
server access from -

  Yet, the relevant directory (~eckman/public_html) has permissions of 755
set and the relevant file (index.html) is set with a permission of 644.
  The lines in my access.conf file are:

<Directory /*/users/public_html*>
AllowOverride None
Options Indexes

<Limit GET>
order allow,deny
allow from all
</Limit>

</Directory>

  I'm running NCSA httpd v1.4 on a DEC Alpha workstation running Digital
UNIX v3.2.  Any ideas what the problem may be?

Richard Eckman
NASA Langley Research Center
Hampton, VA

 
 
 

Problems serving user home pages using NCSA httpd 1.4.1

Post by Joseph You » Sat, 10 Jun 1995 04:00:00


It appears that if you turn off FollowSymLinks for your user directories,
and if the path to your user's home directory contains symlinks, then
NCSA httpd will fail when it hits the symlink.  At the time that it tests
the path for symlinks, in http_access.c:evaluate_access(), the users path
has been resolved from /etc/passwd and the checker does not know that it
is looking at a user's home directory.

A fix, should someone else like to work on this, would be to take the path
obtained for the user directory in http_alias.c:translate_name() and resolve
any symlinks in the path.  This way, the user's directories can be restricted
to SymLinksIfOwnerMatch or None.  I don't know of a good way to remove all of
the symlinks from the path, but if anyone else does, I'd love to hear about it.

---------------------------------------------------------

Information Resources Manager
Academic Computing                   voice: (909)621-8640
Harvey Mudd College                    fax: (909)621-8237

 
 
 

Problems serving user home pages using NCSA httpd 1.4.1

Post by Wojciech Try » Sun, 11 Jun 1995 04:00:00


It should be .../users/eckman/public_html/index.html
or you have to change access.conf

--
 Wojciech Marek Tryc
 There is no limit ... just your imagination.
 http://www.trytel.com/

 
 
 

Problems serving user home pages using NCSA httpd 1.4.1

Post by Logan Ratn » Wed, 14 Jun 1995 04:00:00



Quote:>It appears that if you turn off FollowSymLinks for your user directories,
>and if the path to your user's home directory contains symlinks, then
>NCSA httpd will fail when it hits the symlink.  At the time that it tests
>the path for symlinks, in http_access.c:evaluate_access(), the users path
>has been resolved from /etc/passwd and the checker does not know that it
>is looking at a user's home directory.

This is a problem we've just noticed ourselves. Here's some further thoughts:

1. If the /home/<userid> symlink (or equivalent) were owned by <user>
the SymLinkIfOwnerMatch could be used instead.  However, this presents
two problems.
   1. If the link is created by amd then it will be owned by root.
   2. From a system security point of view, it should be owned by root anyway.

2. Given one, it occures to us that only root-owned symlinks prevent
serving user's home directories with Symlink restrictions.

3. Therefore, our proposed solution, and I patch I am working on for
bot httpd1.3R and for httpd1.4.1, is to 'bless' superuser-owned symlinks
and allow them to be followed despite access restrictions.  There will
actually be two options in the patch, one that treats root-owned symlinks
as matching any owner, and one that always follows root-owned symlinks.

This seems like a rational solution.  It allows home directories with
security restrictions, and only root can create security problems.
This seems acceptable, as if you can't trust root, you've got bigger
problems than web-served symlinks anyway.

I hope to have a patch tested and made available in a week or two,
and will announce to this group when done.

--

CRPC/CITI    |     tinker      | it is funny that he should be killed for so
Rice Univ.   |     tailor      | little, and the coin of his death should be
Houston TX   |    *naut    | what we call civilization - R. Chandler

 
 
 

Problems serving user home pages using NCSA httpd 1.4.1

Post by Steve Sto » Thu, 15 Jun 1995 04:00:00




>>It appears that if you turn off FollowSymLinks for your user directories,
>>and if the path to your user's home directory contains symlinks, then
>>NCSA httpd will fail when it hits the symlink.  At the time that it tests
>>the path for symlinks, in http_access.c:evaluate_access(), the users path
>>has been resolved from /etc/passwd and the checker does not know that it
>>is looking at a user's home directory.

[some stuff removed]

Quote:>3. Therefore, our proposed solution, and I patch I am working on for
>bot httpd1.3R and for httpd1.4.1, is to 'bless' superuser-owned symlinks
>and allow them to be followed despite access restrictions.  There will
>actually be two options in the patch, one that treats root-owned symlinks
>as matching any owner, and one that always follows root-owned symlinks.

I had this exact problem a short while ago.  I followed the same logic
that's presented here since it would make sense that if the symlink is
owned by root then it should be taken as being correct and not a security
hole (if you can't trust this then you've got bigger problems :)

Well, what I did was to add another option like SymLinksIfOwnerMatch called
SymLinksIfOwnerRoot.  It behaves just like the former but it will always
follow a symlink if it is owned by root.  You can find the patch at
http://www.umd.umich.edu/~sstock/src/, it's based on ncsa httpd 1.4, but
I don't think 1.4.1 can be that different...
I mailed this to the NCSA httpd development team, but never heard back
(they are probably busy anyway).

Hope this helps!
--

Steve Stock

 
 
 

1. Problems accessing home pages with NCSA httpd 1.5.1

I'm having problems trying to get user home pages to work on my server.
I believe I have set the correct configuration in the access.conf, and
I have set the correct file privileges under Unix, so why do I keep
getting "Error 403" messages?

UserDir is set to html_pub and here is the part of the access.conf
that is set for the user home pages.

<Directory /*/html_pub*>
AllowOverride None
Options Indexes
<Limit GET>
order allow,deny
allow from all
</Limit>
</Directory>

And the page in particular is: http://stella.ich.ucl.ac.uk/~alapthor

Many thanks

Alan
--
         Alan Lapthorn           | Tel: (++44) (0)171 242 9789 x 2624
   Information Systems Unit      | Fax: (++44) (0)171 242 1324

30 Guilford St, London, WC1N 1EH | http://www.ucl.ac.uk/~rmyajal

2. Name resolution under 2.5?

3. httpd NCSA and CERN - can't get them to serve user directories (is one better?)

4. 2.1.9 kernel not compile

5. NCSA httpd 1.5beta problems -- user pages disappear

6. Microsoft the evil empire. "Wanted Java programmer please email. Word format only"

7. Cannot access ~user homepage (using ncsa httpd 1.5a)

8. Multi serial boards and linux

9. Serving additional page to every user's page

10. How to have NCSA httpd serve video animations ?

11. NCSA httpd not serving VRML properly

12. NCSA httpd: serving files as text/plain

13. Serving Browser-Specific Pages from NCSA 1.4