Security problem in UserDir directories

Security problem in UserDir directories

Post by John Wingfiel » Sun, 30 May 1999 04:00:00



I have tried to set up both the DocumentRoot and the UserDir directories
so that they are restricted to the local domain for the time being.
While this works fine for DocumentRoot, the UserDir directories can be
accessed from anywhere.  Can anyone see a mistake in the following?

Thanks for your help!

John.

<Directory />
    AllowOverride None
    Options None
    Order deny,allow
    Deny from all
</Directory>

UserDir public_html
UserDir disabled
UserDir enabled jw96

<Directory /home/*/public_html>
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from [domains are here]
    </Limit>
    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        Order deny,allow
        Deny from all
    </Limit>
</Directory>

 
 
 

Security problem in UserDir directories

Post by Raghura » Wed, 02 Jun 1999 04:00:00


Hello John,

It MAY be the missing "Deny from all" in

Quote:>     <Limit GET POST OPTIONS PROPFIND>
>         Order allow,deny
>         Allow from [domains are here]
>     </Limit>

--
Best regards,
Raghuram

Disclaimer: My opinions are my own


> I have tried to set up both the DocumentRoot and the UserDir directories
> so that they are restricted to the local domain for the time being.
> While this works fine for DocumentRoot, the UserDir directories can be
> accessed from anywhere.  Can anyone see a mistake in the following?

> Thanks for your help!

> John.

> <Directory />
>     AllowOverride None
>     Options None
>     Order deny,allow
>     Deny from all
> </Directory>

> UserDir public_html
> UserDir disabled
> UserDir enabled jw96

> <Directory /home/*/public_html>
>     AllowOverride None
>     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
>     <Limit GET POST OPTIONS PROPFIND>
>         Order allow,deny
>         Allow from [domains are here]
>     </Limit>
>     <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
>         Order deny,allow
>         Deny from all
>     </Limit>
> </Directory>


 
 
 

1. Apache: UserDir <Directory...> problem

Hi all.
I've got a problem with with UserDir directories' properties.
I use Apache 1.3.6 on Digital Unix 4.0e.

In my httpd.conf file I have the following:
#-------------------------------------
UserDir public_html

<Directory /*/public_html>
    AllowOverride All
    Options MultiViews Indexes ExecCGI
    order allow,deny
    allow from all
</Directory>
#-------------------------------------
But commands in <Directory>...</Directory> section don't work! They have
no meaning at all (for example when I put "deny from all" in place of
"allow from all" I still have access to my UserDir directory). When I
define <Directory> section for my UserDir directory with absolute path
(<Directory /home/mariusz/public_html>), all is ok.
I suspect the statement "/*/public_html" - is this correct? It was in
default httpd.conf file.

Thanks in advance
Mariusz Rustecki

2. Exporting Dos Partitions?

3. 755 userdirs? for ~userdir/public_html?

4. USB Mass Storage Device - Data Loss

5. Security from outside call-ins

6. Do kernel threads need their own stack?

7. Apache UserDir Security

8. broadcasting with UDP...

9. Apache 1.3 - UserDir directories no longer accessible

10. Modification to UserDir for home directories

11. Ownership of the home directory - security problem?

12. Security Problems? What Security Problems?

13. supraexpress modems (28.8) problems w/dial-ins