COMMAND

    httpd

SYSTEMS AFFECTED

    Mandrake 5.3/7.0, RedHat 5.2/5.3/6.0 + Apache BUG

PROBLEM

    Kasatenko Ivan Alex. found following.  Lately his users helped him
    to discover one unpleasant  feature: a home catalog  of ``nobody''
    user is "/" on most Mandrake's and RedHat's (any others?).   Let's
    see a setting in the httpd.conf:

        # UserDir: The name of the directory which is appended onto a user's home
        # directory if a ~user request is recieved.

        UserDir ./

    .. any user may go to, for example,

        http://www.malconfigured-host.com/~nobody/etc/

    and get a list of files in the /etc catalog.

SOLUTION

    UserDir is actually typically set  to public_html - or some  such.
    Never seen a site setup with UserDir set to './' - but needless to
    say, that's a Very Bad[tm] way to set things up.

    SuSE Linux used to have  user nobody's HOME directory set  to /tmp
    for  years.   Starting  with   SuSE-7.0,  it   will  be   set   to
    /var/lib/nobody.  Apache, as distributed with SuSE, is  configured
    `UserDir  public_html'  and  is  therefore  not vulnerable for the
    http://machine/~nobody/-problem.   However, SuSE  encourage admins
    to change this user's home using the commands

        mkdir -p /var/lib/nobody
        chown nobody.nogroup /var/lib/nobody
        usermod -d /var/lib/nobody

    Make sure that  you move files  belonging to user  nobody from the
    former location to  the new home  and that you  don't rely on  the
    old absolute path in your scripts.