Regarding to the security issue I described earlier I tried to find a way around it. We are basically trying to get away from giving the world readable permissions to files in ~/public_html/.

ls -l public_html/index.html
-rwxr-xr-x   1 e0625457   stud           381 Nov 25 13:22 public_html/index.html

I thought of two ways to solve that:

a) set the group of the file to www and give it 755.
b) set the file to 700 and add a ACL entry

I failed with the first, because: I’m not the owner of the group nor member of it so I can’t hand the file over.
I failed with the second, because: The ACL setting for www was not respected by the webserver, it threw a 403.

I wonder how students should set up web content that is not listable.

There is still the possibility that a caching feature blurred the results of my testing.

But on my way I found something else that’s interesting:
If you do

cat /etc/passwd

, you see all students and staffs IDs and full names.

Other interesting commands:

netstat -an|grep http
ps -efl |grep http
cat /etc/syslog.conf

Hey, its in the middle of the night and I’m having fun with our wellknown IBM server stud4.tuwien.ac.at.

I noticed that a lot of people do not protect their home directories. In fact, I noticed that mine was dir-readable too. But whats worse is, that some people leave their files readable.

Facts:
Connect to it, end use a find:

ssh stud4.tuwien.ac.at -l e0123456 'find /users*/home* -perm -a+r -print' >homes.list4.accessible

All these files are accessible: Want an excerpt? Here you go:

-rw-r--r--   1 e1543626   stud        692820 Apr 27  2005 /users4/home5/e1543626/00001.jpg
-rw-r--r--   1 e1543626   stud        484867 Apr 27  2005 /users4/home5/e1543626/00002.jpg
-rw-r--r--   1 e1543626   stud       1112039 Nov 29  2004 /users4/home5/e1543626/1653.pdf
-rw-r--r--   1 e1543626   stud        269401 Nov 29  2004 /users4/home5/e1543626/1728.pdf
-rw-r--r--   1 e1543626   stud        124044 Nov 29  2004 /users4/home5/e1543626/2056.pdf
-rw-r--r--   1 e1543626   stud        338262 Nov 29  2004 /users4/home5/e1543626/2934.pdf
-rw-r--r--   1 e1543626   stud        626081 Nov 29  2004 /users4/home5/e1543626/3013.pdf
-rw-------   1 e1543626   stud         10500 Oct 31  2005 /users4/home5/e1543626/Aufgabe3.zip
-rw-r--r--   1 e1543626   stud           174 Oct 19  2005 /users4/home5/e1543626/Daten.java
-rw-------   1 e1543626   stud       1070460 Feb  7  2006 /users4/home5/e1543626/Domen_C.zip
-rw-------   1 e1543626   stud           506 Nov 15 16:06 /users4/home5/e1543626/Drafts
-rw-------   1 e1543626   stud         23552 Dec 17  2004 /users4/home5/e1543626/Honorarnote Edi.doc
-rw-------   1 e1543626   stud          8601 Nov 26 20:04 /users4/home5/e1543626/Junk
-rw-r-----   1 e1543626   stud             0 Oct  3  2001 /users4/home5/e1543626/LIZ/.ICAClient/.eula_accepted

(I replaced the real username with an obviously impossible id) But you get the idea.

So who are the bad guys. Maybe I want ot warn you. Using teh above list we retrieved, we can find out:

cat homes.list4.accessible|cut -d "/" -f 4|sort |uniq -c|sort -n

Several users with hundreds of files.

Let’s dig deeper …

ssh stud4.tuwien.ac.at -l e0123456 'find /users*/home* -perm -a+w -print' >homes.list.writable

Uhm… ok. I understand with temporary files it might not matter, but public_html? Hello? Invitation? Guys, you should really set your permission bits correctly!

Also I think the KDE NFS desktop gives the files in the home folder too much permissions.