User's Directories and security
Marcus Roberts
with access to a user being specified as a URL of the form
http://<machine name>/~<user id>/
Whilst this is an excellent feature practically, it makes me wonder about
releasing your user id to the world. It seems to be growing in acceptance
that e-mail addresses should be advertised as initial.surname@machine or
something similar, rather than userid@machine. This avoids any potential
crackers being able to tie a host name and user id together in any break-in
attempts.
The URL outlined above seems to achieve this however - a paired user id and
hostname.
So - is there some way around this currently?
- could the existing user authentication stuff be expanded to store user
aliases and home directories
- is this a big problem anyway?
Thanks
Marcus
Server admin for <http://web.cs.nott.ac.uk/>
----
m.ro...@cs.nott.ac.uk Communications Research Group
Dept. of Computer Science
Nottingham University, UK
Rob McCool
: One of the "newish" features of NCSA's httpd is the user's directory concept,
: with access to a user being specified as a URL of the form
: http://<machine name>/~<user id>/
: Whilst this is an excellent feature practically, it makes me wonder about
: releasing your user id to the world. It seems to be growing in acceptance
: that e-mail addresses should be advertised as initial.surname@machine or
: something similar, rather than userid@machine. This avoids any potential
: crackers being able to tie a host name and user id together in any break-in
: attempts.
Yes, but someone could just finger @ the machine and get the user id's
anyway...
: The URL outlined above seems to achieve this however - a paired user id and
: hostname.
: So - is there some way around this currently?
: - could the existing user authentication stuff be expanded to store user
: aliases and home directories
: - is this a big problem anyway?
A feature I left out is the ability to disable user directories entirely, or
to alias them. I am planning to get back to it..
What this would mean is that in the future, you could Alias /~Your.Name/ to
your home directory and disable the user-supported directories feature.
--
Rob McCool, ro...@ncsa.uiuc.edu
Software Development Group, National Center for Supercomputing Applications
It was working ten minutes ago, I swear...
Magnus Homann
Rob> A feature I left out is the ability to disable user directories
Rob> entirely, or to alias them. I am planning to get back to it..
I tried (with httpd1.0a3?):
Directory /users
Method GET {
deny from all
}
... and it seemd to work. Perhaps it doesn't?
Homann
--
Magnus Homann Email: d0a...@dtek.chalmers.se
URL: http://www.dtek.chalmers.se/DCIG/d0asta.html
Rob McCool
: I tried (with httpd1.0a3?):
: Directory /users
: Method GET {
: deny from all
: }
This works, but what I mean is an explicit way of disabling it (in case not
all of your users are in one directory).
Bjoern Stabell
] Magnus Homann (d0a...@dtek.chalmers.se) wrote:
] : I tried (with httpd1.0a3?):
]
] : Directory /users
] : Method GET {
] : deny from all
] : }
]
] This works, but what I mean is an explicit way of disabling it (in case not
] all of your users are in one directory).
A work-around (or even better solution?) is to disable all
directories except the ones mentioned in access.conf by
specifying (for NCSA httpd1.04a):
<Directory />
Options FollowSymLinks # DON'T let users run scripts
AllowOverride Limit FileInfo # ------------ " ------------
<Limit GET>
deny from all # or whatever you want
</Limit>
</Directory>
(or something even stricter) in access.conf.
To Rob: Perhaps you should have such an entry in your provided
access.conf file labled "default access control" or something?
This is nice since often you'll want to have a different access
configuration for the main WWW-directory hierarchy and
"everything else" (including user directories which you have no
control over).
Bye,
--
Bjørn Stabell
(bjo...@staff.cs.uit.no)
Rob McCool
: To Rob: Perhaps you should have such an entry in your provided
: access.conf file labled "default access control" or something?
: This is nice since often you'll want to have a different access
: configuration for the main WWW-directory hierarchy and
: "everything else" (including user directories which you have no
: control over).
A reasonable idea.
Peter Flynn
I'm just about to start delving into forms: there have been a few URLs
circulated which point at examples, but (of course) I didn't save them.
Could someone please point me at a few of them, and at where the specs
are (I couldn't find them at info.cern.ch :-) nor ncsa.uiuc.edu...)
///Peter
Rob McCool
: I'm just about to start delving into forms: there have been a few URLs
: circulated which point at examples, but (of course) I didn't save them.
: Could someone please point me at a few of them, and at where the specs
: are (I couldn't find them at info.cern.ch :-) nor ncsa.uiuc.edu...)
http://www/SDG/Software/Mosaic/Docs/fill-out-forms/overview.html
From there you'll find examples.
Frank Peters
ro...@ncsa.uiuc.edu (Rob McCool) says:
>Peter Flynn (pfl...@curia.ucc.ie) wrote:
>
>: I'm just about to start delving into forms: there have been a few URLs
>: circulated which point at examples, but (of course) I didn't save them.
>: Could someone please point me at a few of them, and at where the specs
>: are (I couldn't find them at info.cern.ch :-) nor ncsa.uiuc.edu...)
>
>http://www/SDG/Software/Mosaic/Docs/fill-out-forms/overview.html
For those of us outside of NCSA that would be:
http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/Docs/fill-out-forms/overview.html
Nathan Torkington
> http://www/SDG/Software/Mosaic/Docs/fill-out-forms/overview.htm
Close :) Try:
http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/Docs/fill-out-forms/overview.html
Cheers;
Nat
Chris A. Shenefiel
I saw the reply post on where to find forms examples, but I couldn't get it
to work...Does anyonelse know where to find forms examples?
Thanks
--------------------------------------------------------------------
Chris Shenefiel
Member Technical Staff
Opinions expressed do not reflect those of the management...
--------------------------------------------------------------------
Peter Flynn
>Peter Flynn (pfl...@curia.ucc.ie) wrote:
>
>: I'm just about to start delving into forms: there have been a few URLs
>: circulated which point at examples, but (of course) I didn't save them.
>: Could someone please point me at a few of them, and at where the specs
>: are (I couldn't find them at info.cern.ch :-) nor ncsa.uiuc.edu...)
>
>http://www/SDG/Software/Mosaic/Docs/fill-out-forms/overview.html
Alas, Requested document (URL
http://www.ncsa.uiuc.edu/SDG/Software/Mosaic/Docs/fill-out-forms/overview.html
could not be accessed.
The information server either is not accessible or is refusing to serve
the document to you.
This happened yesterday, both with the hostname and the IP address :-(
///Peter
>--
>Rob McCool, ro...@ncsa.uiuc.edu
>Software Development Group, National Center for Supercomputing Applications
>It was working ten minutes ago, I swear...
Hehe. _I_ swore...
Peter Flynn
<form action="mailto:user@node"> doesn't work, so do I need a script?
///Peter
Marc Andreessen
writes:
Plus another trick: how do I specify to mail the completed form to someone?
<form action="mailto:user@node"> doesn't work, so do I need a script?
You're in luck...
http://south.ncsa.uiuc.edu/forms.html
Cheers,
Marc
--
Marc Andreessen
Software Development Group
National Center for Supercomputing Applications
ma...@ncsa.uiuc.edu (MIME welcomed here)
Peter Flynn
>In article <CGzvx...@curia.ucc.ie> pfl...@curia.ucc.ie (Peter Flynn)
>writes:
>
> Plus another trick: how do I specify to mail the completed form to someone?
> <form action="mailto:user@node"> doesn't work, so do I need a script?
>
>You're in luck...
>
> http://south.ncsa.uiuc.edu/forms.html
Thanks, that's great.
While you're at it, take a look at
<a href="http://curia.ucc.ie/info/net/eec_english.html">the future</a> of our language.
///Peter