1

I recently discovered that as long as I give a full path, my web server will serve any file on my file system it has read privileges to. In other words, something like

http://www.example.com/Users/john/Desktop/Costa%20Rica/DSC_0058.jpg

will happily be served by the web server. This is despite every DocumentRoot setting pointing to only /Library/WebServer/Documents.

Why is it that Apache serves the entire file system? Can it be turned off?

kqr
  • 91
  • 1
  • 9

2 Answers2

4

Try looking for a <Directory /> section and make sure that any settings within that tag are restrictive.

Also check if mod_userdir is enabled and configured. Look for tags like UserDir

Safado
  • 4,786
  • 7
  • 37
  • 54
  • Thanks. Mind giving me some hint as to what kind of settings count as restrictive, and why there should be a `` at all? – kqr Apr 29 '15 at 15:01
  • The default package with CentOS has only two options: `Options FollowSymLinks` and `AllowOverride None`. Maybe post everything in your config between the and the following tags so we can see. – Safado Apr 29 '15 at 15:13
  • It's actually more likely that you have mod_userdir enabled. Check for any `UserDir` tags as well – Safado Apr 29 '15 at 15:18
  • I actually found this http://httpd.apache.org/docs/2.2/misc/security_tips.html#protectserverfiles which describes my situation pretty well. I'm looking into how to manage that. :) – kqr Apr 29 '15 at 15:22
  • It describes the two things I mentioned to you :) Good luck! – Safado Apr 29 '15 at 16:56
  • I finally managed to solve the problem... and it was real silly. If you're curious: http://serverfault.com/a/686696/284373 – kqr Apr 30 '15 at 09:46
0

I still have no idea what causes this.

I discovered that it was only serving files from /Users/john and not the rest of the file system (other than the correct document root for the server), so I assume it is something related to some clever OS X file sharing something something.

I checked for mod_userdir, which was not enabled. I checked all Directory and Location sections, none of which seems to enable access to files under /Users/john. Nothing in the configuration mentions john specifically, and I can't find any regex that would match that either. It does not seem to be related to the file extension (it would kind of make sense to "serve all images" or something, but it wasn't that either.)

So what I ended up doing after many hours was add a <Location /Users> section to my global httpd.conf where I disabled access for everyone, like so:

<Location "/Users">
        Order Deny,Allow
        Deny from all
</Location>

(Which is exactly what my <Directory /> section looks like too, for the record.)

This isn't the best of solutions but it appears to deny access to files which shouldn't be served.

Since this was what worked for me, I'll accept it as the answer. I'm thankful for the help given to me by Safado, and if anyone else comes by in the future and has any clues, please post them! It's likely this server will be in service for at least a while longer, and I'd be happy to try out a more proper solution if one exists.

Edit: Apparently someone had put a symlink Users -> /Users in the document root (I had previously ruled this out because it didn't serve any users' directories other than john). I'm guessing maybe for some reason the www-data user which runs Apache has filesystem permissions to read /Users/john but not the other directories inside /Users, but either way, removing the symlink solved my problem.

kqr
  • 91
  • 1
  • 9
  • 1
    Good catch. An option you can use to prevent accidents like this in the future would be to add `Options -FollowSymLinks` to your vhost OR find remove `Options FollowSymLinks` from wherever it is being set (maybe ?) I don't remember if that's the exact syntax or if the scope needs to be inside a Directory or Location block, but essentially it removes the ability to use symlinks – Safado Apr 30 '15 at 14:49
  • Unfortunately I want it to follow symlinks within the document root, so I'll just have to be mindful of symlinks that escape out of it. :) @Safado – kqr Apr 30 '15 at 18:55