MLUG: Mizzou Linux Users GroupHome | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact
MLUG: RE: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
RE: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
Just want to jump in here, there is an additional risk you assume by
allowing all users (except root) to have a public_html folder. If you
also allow some sort of remote access (SSH, FTP), there are scripted
attacks out in the wild that will attempt to leverage a brute force
password attack by setting up a public_html folder, and then start
probing for weaknesses in your Apache setup. Works even for
non-privileged accounts (i.e. without a valid shell).

To mitigate the risk, if possible, I'd suggest explicitly enabling
UserDir for just the users that need it.

Here's my paranoid example (with PHP safe_mode enabled for good
measure):

UserDir public_html

UserDir disabled
UserDir enabled user1 user2 user3 user4

<Directory /home/*/public_html>
    AllowOverride All
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

    Order allow,deny
    Allow from all

    php_admin_flag safe_mode On

    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

--
HARDY POTTINGER <EMAIL:PROTECTED>
University of Missouri Library Systems
http://lso.umsystem.edu/~hardy/
"No matter how far down the wrong road you've gone,
turn back." --Turkish proverb

_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Questions? Comments? Feel free to contact MLUG.
DMCA and other copyright information.