Bug 87979 - recommended way of enabling public_html exposes users' files in /home/user/
Summary: recommended way of enabling public_html exposes users' files in /home/user/
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: rhl-cg
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tammy Fox
QA Contact: Tammy Fox
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-04-04 09:08 UTC by sysadmin
Modified: 2007-04-18 16:52 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-04-05 15:50:10 UTC


Attachments (Terms of Use)

Description sysadmin 2003-04-04 09:08:32 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4a) Gecko/20030403

Description of problem:
The docs for enabling public_html for user joeblow instruct, in part:

chmod o+x /home/joeblow

And, by default, user files are created o+r.  

This combination allows anyone with a shell account to access the files in
/home/joeblow/ 

It seems to me that RHL's default configuration should not lead to this result.



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
follow RH's recommended procedure for enabling public_html directories

Additional info:

Comment 1 sysadmin 2003-04-04 16:28:55 UTC
I forgot to mention that you'd have to know the name of a file in joeblow's home
directory in order to access it.

Comment 2 Tammy Fox 2003-04-04 16:32:02 UTC
Which RH documentation are you referring to? The component has been changed to
rhl-cg, but the Customization Guide doesn't include this information.

Comment 3 sysadmin 2003-04-05 10:49:12 UTC
i don't have them handy - maybe i was looking at some pre-upgrade docs - can you
tell me what the current recommended way of enabling public_html directories is?


Comment 4 Tammy Fox 2003-04-05 15:50:10 UTC
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-apache-config.html

Look for the UserDir directive.


Note You need to log in before you can comment on or make changes to this bug.