Serious Vulnerability

Joined
Jun 11, 2003
Messages
4,915
Reaction score
68
Points
48
Location
Mount Vernon, WA
Your Mac's Specs
MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
Ok I have a serious vulnerability in the way that we are hosting websites on an xserve that I administer.

The problem is with the way personal file sharing works. It allows users to view what is in their Sites folder by going to

(outdated link removed)

While this is great it causes problems because we have in their Sites folder their domain folder.. so for example:

/Users/username/Sites/domain.com/public_html/

So if a person goes to:

(outdated link removed)

they can view all the files etc in that directory.. not good at all!

Does anyone know how I can turn off personal file sharing in OS X server? The normal Sharing Preference does not allow me to do this..

Help!
 
OP
Murlyn
Joined
Jun 11, 2003
Messages
4,915
Reaction score
68
Points
48
Location
Mount Vernon, WA
Your Mac's Specs
MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2
Well I did something a bit different. I changed the default directories that are created when you create a user so that within the Sites folder there would be a folder named personal/public_html/ and then the index.html and images folders would be in the public_html directory and then within the httpd.conf file I changed it so that a Users personal webpage would be found in Sites/personal/public_html and this took care of all vulnerabilities. Which means within the Sites folder a user would have these folders:

personal/
domain.com/
another.com/

etc etc

And I am a happy sysadmin once again :)

Thanks!
 
Joined
Feb 25, 2003
Messages
5,279
Reaction score
138
Points
63
Location
Tropical Island, Jealous?
Your Mac's Specs
MacPro 3.0Ghz 16GB RAM, 4x256 Vid, 30''cinema display

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top