disabling file:///home/user viewing in apache on fc3
John Pierce
john.j35 at gmail.com
Wed Aug 10 12:55:56 UTC 2005
On 8/10/05, Paul Howarth <paul at city-fan.org> wrote:
> Ankush Grover wrote:
> > the permissions on user's home directory r normally 700 or 770 .But i
> > was able to view the contents of the home directories of any user
> > including root user home directory from the browser.I tried this with
> > about 5 users and those users don't have any root privileges they r
> > just normal users but they were able to read the contents of root and
> > other user's home directory and that indeed is a security breach.
>
> I can't reproduce this here (fc4).
>
> Putting "file:///root/" in the firefox address bar does nothing.
>
> Putting "file:///my/home/directory/" browses to my directory.
>
> Can you browse other directories (e.g. /root) using nautilus?
>
> What's the output of "ls -ld / /root"?
>
> None of this is anything to do with apache btw - file:// URLs are
> handled directly by the browser and aren't sent to a server.
>
> Paul.
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
I cannot reproduce that on a stock fc3 install, if I put file:///home
I can see the home directories of all of the users, but I cannot
browse to any of them but my own.
One question, could you have changed the browser binary to be suid or
run with root permissions?
Only thing I can think of.
John
More information about the users
mailing list