Archive for August 2007
29
Apache Disabling users from publishing web contents
No comments · Posted by nguyen in Linux Docs
Disabling users from publishing web contents
The default Apache installation in Debian permits users to publish content under the $HOME/public_html. This content can be retrieved remotely using an URL such as: http://your_apache_server/~user.
If you do not want to permit this you must change the /etc/apache/http.conf configuration file commenting out (in Apache 1.3) the following module:
LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
If you are using Apache 2.0 you must remove the file /etc/apache2/mods-enabled/userdir.load or restrict the default configuration by modifying /etc/apache2/mods-enabled/userdir.conf.
However, if the module was linked statically (you can list the modules that are compiled in running apache -l) you must add the following to the Apache configuration file:
Userdir disabled
An attacker might still do user enumeration, since the answer of the web server will be a 403 Permission Denied and not a 404 Not available. You can avoid this if you use the Rewrite module.
Enable way
Enable apache modules under Debian based system
2. Adding modules:
Now, taking into account the strucutre of apache, it is pretty easy to add modules to be loaded by apache. Let’s assume that you want to add mime_magic module. To do so, you can either:
* add it by hand:
$cd /etc/apache2/mods-enabled
$ sudo ln -s ../mods-available/mime_magic.conf mime_magic.conf
$sudo ln -s ../mods-available/mime_magic.load mime_magic.load
OR
* add it the debian way with a2enmod:
$sudo a2enmod
Which module would you like to enable?
Your choices are: actions asis auth_anon auth_dbm auth_digest auth_ldap cache cern_meta cgid cgi dav_fs dav deflate disk_cache expires ext_filter file_cache headers imap include info ldap mem_cache mime_magic php5 proxy_connect proxy_ftp proxy_http proxy rewrite speling ssl suexec unique_id userdir usertrack vhost_alias
Module name? mime_magic
Module mime_magic installed; run /etc/init.d/apache2 force-reload to enable.
That’s it, your module will now be loaded next time you start apache. You can actually avoid restarting apache, by asking it to simply reload its configuration:
$ sudo /etc/init.d/apache2 reload
And here you go, your new added module is included in apache.
No tags
