On Fri, 9 Apr 1999, Karellen wrote: > > That reminds me of something else. On Debian 2.0, after I read the Apache > manual I tried that neat example they suggest 'ln -s / ~/public_html' > lynx http://localhost/~username -- I actually got to see my root directory! > Any user with shell acess could do this and allow people browse through your > /etc, /home and what not. To fix this, add the following lines to the top of > your /etc/apache/apache.conf. > > <Directory /> > AllowOverride None > Options None > Order deny,allow > Deny from all > </Directory> I don't know what kind of configuration comes with Debian, but I suggest replacing "FollowSymLinks" option with "SymLinksIfOwnerMatch" option to prevent symlink misuse. This option makes the server follow symbolic links only if the link is owned by the same UID as the terget of the link. And here is a little example: <Directory /home> ... Options ... SymLinksIfOwnerMatch ... ... </Directory> Mig -- **** Mikael Willberg ***** "Oh dear", says God, "I hadn't thought of that" ** * Hypermedia laboratory * and promptly vanishes in a puff of logic. * * University of Tampere * (Douglas Adams) * ******** Finland ********* http://www.uta.fi/~tymiwi/ ***********************
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:42:43 PDT