disabling file:///home/user viewing in apache on fc3
Paul Howarth
paul at city-fan.org
Wed Aug 10 11:59:45 UTC 2005
Ankush Grover wrote:
> the permissions on user's home directory r normally 700 or 770 .But i
> was able to view the contents of the home directories of any user
> including root user home directory from the browser.I tried this with
> about 5 users and those users don't have any root privileges they r
> just normal users but they were able to read the contents of root and
> other user's home directory and that indeed is a security breach.
I can't reproduce this here (fc4).
Putting "file:///root/" in the firefox address bar does nothing.
Putting "file:///my/home/directory/" browses to my directory.
Can you browse other directories (e.g. /root) using nautilus?
What's the output of "ls -ld / /root"?
None of this is anything to do with apache btw - file:// URLs are
handled directly by the browser and aren't sent to a server.
Paul.
More information about the fedora-list
mailing list