Re: disabling file:///home/user viewing in apache on fc3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/10/05, Paul Howarth <paul@xxxxxxxxxxxx> wrote:
> Ankush Grover wrote:
> > the permissions on user's home directory r normally 700 or 770 .But i
> > was able to view the contents of the home directories of any user
> > including root user home directory from the browser.I tried this with
> > about 5 users and those users don't have any root privileges they r
> > just normal users but they were able to read the contents of root and
> > other user's home directory and that indeed is a security breach.
> 
> I can't reproduce this here (fc4).
> 
> Putting "file:///root/" in the firefox address bar does nothing.
> 
> Putting "file:///my/home/directory/" browses to my directory.
> 
> Can you browse other directories (e.g. /root) using nautilus?
> 
> What's the output of "ls -ld / /root"?
> 
> None of this is anything to do with apache btw - file:// URLs are
> handled directly by the browser and aren't sent to a server.
> 
> Paul.
> 
> --
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
I cannot reproduce that on a stock fc3 install, if I put file:///home
I can see the home directories of all of the users, but I cannot
browse to any of them but my own.

One question, could you have changed the browser binary to be suid or
run with root permissions?

Only thing I can think of.

John


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux