On Mon, 31 Jul 2000, Kasatenko Ivan Alex. wrote:
> Lately my users helped me (in a way the call this ``hacking'' :) to
> discover one unpleasant feature: a home catalog of ``nobody'' user is
> "/" on most Mandrake's and RedHat's (any others?) I've seen, and with
> such a setting in the httpd.conf (I assume this is typical?)...
> > # UserDir: The name of the directory which is appended onto a user's home
> > # directory if a ~user request is recieved.
> >
> > UserDir ./
> .. any user may go to, for example,
> http://www.malconfigured-host.com/~nobody/etc/ and get a list of files
> in the /etc catalog. I assume this a hole.
UserDir is actually typically set to public_html - or some such. I have
never seen a site setup with UserDir set to './' - but needless to say,
that's a Very Bad[tm] way to set things up.
I'm fairly certain that default installs of apache (and the distros that install
apache by default) have this set to public_html.
Cheers,
--Dg
Wir müssen wissen; wir werden wissen
| http://hollyfeld.org | http://silentnoise.org | http://aumlaut.net |
w | email/dgarcia_at_silentnoise.org | mp3/www.mp3.com/sol3 | g
Listen to Silent Screams: http://silentnoise.org/screams
np on Silent Screams: Aumlaut 4.1 by Aumlaut
Received on Aug 02 2000
Intro
