OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: your mail
From: Shelagh Pepper (spepperWLU.CA)
Date: Fri Jul 07 2000 - 11:11:37 CDT


You can compile Apache without UserDir, you can totally disable UserDir, or
you can enable UserDir only for specific users

e.g.
UserDir public_html
UserDir disabled
UserDir enable 11a

(see http://www.apache.org/docs/mod/mod_userdir.html for more information.)

Shelagh
At 04:46 PM 7/7/00 +0200, Bluefish wrote:
>As you'll see in following example, if the webserver cannot access ~11a,
>it will return 403. If it can access ~11a, then it will behave as you say.
>On my setup this is not a big issue, but if someone runs a large site
>which offers web, this should be kept in mind.
>
>I wouldn't scream "it's a bug", but a webserver running apache must assume
>their users to be known. To tell people who wants their directory o-rxw
>that they cannot because of the security concern isn't really an option,
>eh? ;-)
>
>On the other hand, these 403 responses are helpfull to most users when
>they setup their system. A possible solution for an administrator for a
>site which really wants this to go away to make both 403 and 404 become a
>302 (page moved) refering to your "hey this is 404"-file. This is done by
>simply setting the errorpages to complete URLs (alas, specify path with
>http://server/file, not /localpath/file)
>
>Hope this clears up the issue!
>
>
>[11ablue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a'
>ls: .html: No such file or directory
>drwxr-xr-x 17 11a 515 2048 Jul 7 16:34 .
>--16:35:04-- http://127.0.0.1:80/%7E11a
> => `-'
>Connecting to 127.0.0.1:80... connected!
>HTTP request sent, awaiting response... 404 Not Found
>16:35:04 ERROR 404: Not Found.
>
>[11ablue allied]$ chmod 750 .
>[11ablue allied]$ ls -ld . .html ; wget -O - 'http://127.0.0.1/~11a'
>ls: .html: No such file or directory
>drwxr-x--- 17 11a 515 2048 Jul 7 16:34 .
>--16:35:42-- http://127.0.0.1:80/%7E11a
> => `-'
>Connecting to 127.0.0.1:80... connected!
>HTTP request sent, awaiting response... 403 Forbidden
>16:35:42 ERROR 403: Forbidden.
>
>
>..:::::::::::::::::::::::::::::::::::::::::::::::::..
> http://www.11a.nu || http://bluefish.11a.nu
> eleventh alliance development & security team
>
> > T> When we do www.redhatserver.com/~validlogin we get a 403, when we
> try with
> > T> another login (which is not valid) we get a 404.
> >
> > This only depends on existance of public_html directory in user's
> > home. If user has no public_html you will also get 404. Using of
> > User's dir is configurable. By default
> > UserDir public_html
> > is in srm.conf