I solved it by:
cd /var/www/html
sudo mkdir tester
Ugh... Make special areas (whether they be virtual hosts, or writable
areas, etc.) outside of the tree. By way of example, you don't want
someone to be able to navigate into a virtual host by simply appending
the directory name to the end of some other website address.
e.g. /var/www/html (default website)
/var/www/html/bad (a badly filepathed virtual host)
/var/www/better (a better filepathed virtual host)
Let's say the first one is www.example.com, the second one is where
bad.example.com is served from, and the third is better.example.com.
I can get into bad.example.com by browsing www.example.com/bad
That's a bad idea if they're meant to be completely independent sites.
It also means you need to make up extra rules, to cover filepaths and
URIs, for each of the ways someone could access them, if you need to
impose restrictions on the /bad files differently from the default
website. Otherwise, someone can sidestep your rules. And break
anything that relies on them using the right URIs.
Contrariwise, I cannot get into better.example.com from any other
address, I have to enter it via its own address.
As I'm sure others have explained, writable areas should be kept
separate, in a similar fashion (outside of the tree). Applications that
write should only be able to write to their own special places. The
server should read from them, probably using that application in the
middle, to process the data. You don't want someone to be able to
directly access the data, unless it's meant to be directly accessible.
If you have some application that insists you run your server in a
vulnerable manner, ditch it. A shiny interface to a turd, is still an
interface to a turd.
Thank you Tim
Unfortunately this confuses me more.
In basic terms, to do a test site on localhost just for messing around
or even serious development means jumping through hoops and no matter
where in the system it resides, ownership and permissions make for
vulnerability.
Our commercial ISP, one of the most globally secure and respected
companies provides shared server /var/www/public_html where our sites
are placed. I'm guessing this is the equivalent to /var/www/better,
from the above example.
Apologies for doubling up but I found an error in my above comment..
The server has public_html as a link to /var/www so I'm guessing it is
really renaming /var/www to public_html if that makes sence.
This begs a question, Is linking in this way more secure than actually
using the /var/www/html.
I'm also guessing that apache still refers to /var/www/html but the link
redirects some how to a directory called public_html. I'll need to study
up more on kinks to see whether public_html is a real directory or just
a reference name.
I don't grasp the significance of a directory called /html or /better or
/someothername except that httpd.conf refers to /html. It could equally
refer to /someothername with the same vulnerability.
Are VirtualHosts more secure than /html?
<snip>
By way of example, you don't want
someone to be able to navigate into a virtual host by simply appending
the directory name to the end of some other website address.
</snip>
On my machine that would be localhost/whatever or for Rails
localhost:3000/whatever. Wouldn't someone have to log in as me to do this?
Does it not imply that no matter how frequently one changes IP addresses
and takes other precautions the local system may probably be entirely
vulnerable?
As usual in a fascinating discussion, there is alot ot understand and
I am grateful to all who take time to explain.
Anyway It's piqued my interest further.
Thank you
Roger
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
