Re: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG Members <EMAIL:PROTECTED>
Subject: Re: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
From: ryan woodsmall <EMAIL:PROTECTED>
Date: Thu, 20 Mar 2008 17:14:43 -0500
Delivery-date: Thu, 20 Mar 2008 17:15:08 -0500
Envelope-to: EMAIL:PROTECTED
In-reply-to: <EMAIL:PROTECTED>
References: <EMAIL:PROTECTED> <EMAIL:PROTECTED> <EMAIL:PROTECTED> <EMAIL:PROTECTED>
Reply-to: MLUG Members <EMAIL:PROTECTED>
Sender: EMAIL:PROTECTED

This shouldn't present a security concern... but could.

You can use a vhost named after an account on the system, and that *would* give away something about your account store. Or you could just use the "old" tilde account name as the actual vhost name, and come up with some new guidelines for naming system accounts; an easy to follow scheme for a project called 'Project' in the department 'Department' would give something like "deptproj" or something. An individual's account will probably have to remain the same for ease of transition to the new server.

Something like this in your main server config should at least get you started:

  RewriteEngine on
  RewriteRule ^/~([^/]+)/?(.*) http://$1.new.domain/$2 [R=301,L]

That should match something in a userdir and do a permanent redirect as such:

  http://old.domain/~user/hello.html -> http://user.new.domain/hello.html

I don't see any problems doing things this way, other than maintaining a list of virtual host configs for each tilde user who wants to keep their former tilde account up and functioning. Apache's wildcard "Include" is a godsend in this case, and it's what I use to included an entire directory of vhost configs.

Hope this helps!

  ryan woodsmall
    EMAIL:PROTECTED


"Be well, do good work, and keep in touch." - Garrison Keillor


On Mar 20, 2008, at 4:14 PM, Christian M. Cepel wrote:

Unless this is just academic, I've explained myself poorly.
I'm just looking for a solution for our need to continue the existence of public urls (example http://tiger.coe.missouri.edu/~vrcbd/) in a world where the powers that be insist that due to the tilde and the security concerns associated, these addresses will be orphaned... and since they are orphaned, no need to continue DNS mappings like tiger.coe.missouri.edu to the new server coe3.missouri.edu. The issue is the security of the ~ so, I think if the normal ~ resolving characteristics of the httpd.conf are removed and individual mappings for the domains, say tiger.coe.missouri.edu => coe3.missouri.edu and then in the httpd.conf ~vrcbd => vrcbd.missouri.edu* Will it? I don't care what the rest of the config is and how they lock the apache server down to protect that machine... I just care about the above working. Will itself present any security issues?

*this could also be to a file, say vrcbd.html which contains a notice to update one's bookmarks and then a timed meta refresh to the new URL http://vrcbd.missouri.edu/
Pottinger, Hardy J. wrote:
Just want to jump in here, there is an additional risk you assume by
allowing all users (except root) to have a public_html folder. If you
also allow some sort of remote access (SSH, FTP), there are scripted
attacks out in the wild that will attempt to leverage a brute force
password attack by setting up a public_html folder, and then start
probing for weaknesses in your Apache setup. Works even for
non-privileged accounts (i.e. without a valid shell).
To mitigate the risk, if possible, I'd suggest explicitly enabling
UserDir for just the users that need it.
Here's my paranoid example (with PHP safe_mode enabled for good
measure):
UserDir public_html
UserDir disabled
UserDir enabled user1 user2 user3 user4
<Directory /home/*/public_html>
   AllowOverride All
   Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
   Order allow,deny
   Allow from all
   php_admin_flag safe_mode On
   <Limit GET POST OPTIONS PROPFIND>
       Order allow,deny
       Allow from all
   </Limit>
   <LimitExcept GET POST OPTIONS PROPFIND>
       Order deny,allow
       Deny from all
   </LimitExcept>
</Directory>
--
HARDY POTTINGER <EMAIL:PROTECTED>
University of Missouri Library Systems
http://lso.umsystem.edu/~hardy/
"No matter how far down the wrong road you've gone,
turn back." --Turkish proverb
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
-- Christian M. Cepel - Thistledowne Productions - http:// thistledowne.org Computer Support Specialist, Sr. - University of Missouri - Columbia College of Education - School of Info Science & Learning Technologies VRCbd, KidTools & StrategyTools Support Systems Projects, and Truman, Library Whistlestop Project - Web Design & Programming - 573.999.2370


_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members

References:
- [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
  - From: EMAIL:PROTECTED
- RE: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
  - From: "Pottinger, Hardy J." <EMAIL:PROTECTED>
- Re: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
  - From: "Christian M. Cepel" <EMAIL:PROTECTED>

Prev by Date: RE: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
Next by Date: Re: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
Previous by thread: Re: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
Next by thread: RE: [MLUG] Re: [MLUG - DISCUSSION] Need help understanding the ~
Index(es):
- Date
- Thread