Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-16-2006, 06:45 AM   #1
Registered: Feb 2006
Distribution: Redhat 9
Posts: 38

Rep: Reputation: 15
~username poses a security problem

i have just configured a apache web server. i have also inserted the feature of ~username by making the necessary changes in httpd.conf file. the above works fine in the browser where the user gets to see the contents of public_html in his home directory. but at the same time any user can get to see the contents of the other users home directory in a shell.
suppose user u1 issues the command $ cp /home/u2/file.txt . it will work because the directory /home/u2 has execute permissions in others(for the browser stuff to work) . i know this could be overcome by changing the umask. but is there an other way of getting through this ?

thanks in advance....
Old 08-16-2006, 10:37 AM   #2
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Can user2...through the browser get to the home directory of user1?...if thats happening then its not good...I know that by default its 755?? for all users when their home directories get why not change the perms to 700 so only the user can execute....

[arvind@attack home]$ ll
total 16
drwxr-xr-x 24 arvind wheel 4096 Aug 16 21:03 arvind
drwxr-xr-x  3 test   test  4096 Aug 16 21:04 test
[arvind@attack home]$ cd test
[arvind@attack test]$ ll
total 0
[arvind@attack test]$ ls -la
total 64
drwxr-xr-x 3 test test 4096 Aug 16 21:04 .
drwxr-xr-x 4 root root 4096 Aug 16 21:03 ..
-rw------- 1 test test   47 Aug 16 21:04 .bash_history
-rw-r--r-- 1 test test   24 Aug 16 21:03 .bash_logout
-rw-r--r-- 1 test test  191 Aug 16 21:03 .bash_profile
-rw-r--r-- 1 test test  124 Aug 16 21:03 .bashrc
-rw-r--r-- 1 test test  120 Aug 16 21:03 .gtkrc
drwxr-xr-x 3 test test 4096 Aug 16 21:03 .kde
[arvind@attack test]$
[arvind@attack test]$
[arvind@attack test]$ su -test
su: invalid option -- t
Try `su --help' for more information.
[arvind@attack test]$ su - test
[test@attack ~]$ cd ..
[test@attack home]$ chmod -R 700 test
[test@attack home]$ ll
total 16
drwxr-xr-x 24 arvind wheel 4096 Aug 16 21:04 arvind
drwx------  3 test   test  4096 Aug 16 21:04 test
[test@attack home]$ logout
[arvind@attack test]$ ll
ls: .: Permission denied
[arvind@attack test]$ cd ..
[arvind@attack home]$ cd test
bash: cd: test: Permission denied
[arvind@attack home]$
Shouldnt this be fine? ... If you want to automate this for every user you add just put in a command in /etc/profile for changing permissions of each new user...

You dont need to play around with the umask at all.
Let me know if this helps...

Old 08-18-2006, 01:18 PM   #3
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
Just make the home dirs 750 and chown the group to apache. That way only the user can write in the directory and apache can read and execute everything it needs.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Trojan poses as Firefox extension LXer Syndicated Linux News 0 07-27-2006 08:21 PM
username problem converting from NT mstouffel Linux - General 1 11-29-2005 04:20 PM
useradd: invalid username username$ engyeow Fedora 5 12-05-2004 04:35 AM
New install username problem sipickles Linux - Newbie 1 03-06-2004 07:58 AM
up2date problem with username ntloser Linux - Software 7 10-07-2003 12:54 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:54 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration