LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2006, 07:45 AM   #1
sambyte
Member
 
Registered: Feb 2006
Distribution: Redhat 9
Posts: 38

Rep: Reputation: 15
~username poses a security problem


hello,
i have just configured a apache web server. i have also inserted the feature of ~username by making the necessary changes in httpd.conf file. the above works fine in the browser where the user gets to see the contents of public_html in his home directory. but at the same time any user can get to see the contents of the other users home directory in a shell.
suppose user u1 issues the command $ cp /home/u2/file.txt . it will work because the directory /home/u2 has execute permissions in others(for the browser stuff to work) . i know this could be overcome by changing the umask. but is there an other way of getting through this ?

thanks in advance....
 
Old 08-16-2006, 11:37 AM   #2
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Can user2...through the browser get to the home directory of user1?...if thats happening then its not good...I know that by default its 755?? for all users when their home directories get created...so why not change the perms to 700 so only the user can execute....

Code:
[arvind@attack home]$ ll
total 16
drwxr-xr-x 24 arvind wheel 4096 Aug 16 21:03 arvind
drwxr-xr-x  3 test   test  4096 Aug 16 21:04 test
[arvind@attack home]$ cd test
[arvind@attack test]$ ll
total 0
[arvind@attack test]$ ls -la
total 64
drwxr-xr-x 3 test test 4096 Aug 16 21:04 .
drwxr-xr-x 4 root root 4096 Aug 16 21:03 ..
-rw------- 1 test test   47 Aug 16 21:04 .bash_history
-rw-r--r-- 1 test test   24 Aug 16 21:03 .bash_logout
-rw-r--r-- 1 test test  191 Aug 16 21:03 .bash_profile
-rw-r--r-- 1 test test  124 Aug 16 21:03 .bashrc
-rw-r--r-- 1 test test  120 Aug 16 21:03 .gtkrc
drwxr-xr-x 3 test test 4096 Aug 16 21:03 .kde
[arvind@attack test]$
[arvind@attack test]$
[arvind@attack test]$ su -test
su: invalid option -- t
Try `su --help' for more information.
[arvind@attack test]$ su - test
Password:
[test@attack ~]$ cd ..
[test@attack home]$ chmod -R 700 test
[test@attack home]$ ll
total 16
drwxr-xr-x 24 arvind wheel 4096 Aug 16 21:04 arvind
drwx------  3 test   test  4096 Aug 16 21:04 test
[test@attack home]$ logout
[arvind@attack test]$ ll
ls: .: Permission denied
[arvind@attack test]$ cd ..
[arvind@attack home]$ cd test
bash: cd: test: Permission denied
[arvind@attack home]$
Shouldnt this be fine? ... If you want to automate this for every user you add just put in a command in /etc/profile for changing permissions of each new user...

You dont need to play around with the umask at all.
Let me know if this helps...

Cheers
Arvind
 
Old 08-18-2006, 02:18 PM   #3
pk21
Member
 
Registered: Jun 2002
Location: Netherlands - Amsterdam
Distribution: RedHat 9
Posts: 549

Rep: Reputation: 30
Just make the home dirs 750 and chown the group to apache. That way only the user can write in the directory and apache can read and execute everything it needs.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Trojan poses as Firefox extension LXer Syndicated Linux News 0 07-27-2006 09:21 PM
username problem converting from NT mstouffel Linux - General 1 11-29-2005 05:20 PM
useradd: invalid username username$ engyeow Fedora 5 12-05-2004 05:35 AM
New install username problem sipickles Linux - Newbie 1 03-06-2004 08:58 AM
up2date problem with username ntloser Linux - Software 7 10-07-2003 01:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration