Chris W
l33t
Joined: 25 Jun 2002
Posts: 972
Location: Brisbane, Australia
|
 Posted: Mon Jul 26, 2004 4:27 am Post subject: |
 |
|
The most obvious thing you've done wrong is attempt undo all the careful security measures built into the default commonapache2.conf, such a global deny access policy on files and directories, and then replace them with an inherently uncool thing. The <Directory path> directive applies permissions to a real directory path: in your case the Apache server will happily supply any file requested (i.e. anything under the root directory), including password files and the like. Whether this results in an exploitable weakness is a matter of luck in the remainder of the configuration. You should put this back the way it was: | Code: | ### First, we configure the "default" to be a very restrictive set of
### permissions. Also, for security, we disable indexes globally.
###
### Restricted set of options:
###
<Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory> |
The bit you are interested in, and seem to have removed or changed, is at around line 770 of commonapache2.conf. The default file also has FollowSymlinks active in the /var/www/localhost/htdoc and sub-directories: | Code: | ###
### This should be changed to whatever you set DocumentRoot to.
###
<Directory /var/www/localhost/htdocs>
#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
Options -Indexes FollowSymLinks MultiViews
#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride All
#
# Controls who can get stuff from this server.
#
<IfModule mod_access.c>
Order allow,deny
Allow from all
</IfModule>
</Directory> |
Given that it should follow any symlink in /var/www/localhost/htdocs the problem probably lies with the symlink. It may be pointing to a non-existent file, or it may be pointing to a file that the web server (i.e. user apache) has no permission to see/read. The first option is probably the most likely. On my system you get the error you describe if the symlink points nowhere, and a different one if the file is not readable.
_________________
Cheers,
Chris W
"Common sense: The collection of prejudices acquired by age 18." -- Einstein |
|
Networking & Security
