Package: securing-debian-howto
Version:
Author: Guillem Jover <guillem@hadrons.org>
Status: applied
Description:
 Fixed some typos.
 Updated disabling Apache userdir_module.

--- securing-debian-howto.sgml	2002-12-19 05:30:25.000000000 +0100
+++ securing-debian-howto_patched.sgml	2002-12-19 06:27:46.000000000 +0100
@@ -2011,8 +2011,8 @@
 /dev/sda11      /var/account    ext2    defaults,nodev,nosuid,noexec    0       2
 /dev/sda13      /home           ext2    rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota                0       2
 /dev/fd0        /mnt/fd0        ext2    defaults,users,nodev,nosuid,noexec      0       0
-/dev/fd0        /mnt/floppy     vfat    defaults,users,nodev.nosuid,noexec      0       0
-/dev/hda        /mnt/cdrom      iso9660 ro,users,nodev.nosuid,noexec            0       0
+/dev/fd0        /mnt/floppy     vfat    defaults,users,nodev,nosuid,noexec      0       0
+/dev/hda        /mnt/cdrom      iso9660 ro,users,nodev,nosuid,noexec            0       0
 </example>
 
 <sect1>Setting <file>/tmp</file> noexec
@@ -2505,9 +2505,9 @@
 home directories <em>not</em> belong to the users but enable them
 to read the configuration <file>.profile</file> and write on the
 <file>.bash_history</file>. It would be good to set
-set the <em>inmutable</em> flag (also using <prgn>chattr</prgn>)
+the <em>inmutable</em> flag (also using <prgn>chattr</prgn>)
 for <file>.profile</file> too if you do it this way.
-     
+
 <p>If you are completely paranoid and want to audit every user's command, you 
 could take <prgn>bash</prgn> source code, edit it and have it send all that 
 the user typed into another file. Or have <package>ttysnoop</package> 
@@ -3916,7 +3916,7 @@
 daemons, ssh1, ssh2, and OpenSSH by the OpenBSD people. Ssh1 was the
 first ssh daemon available and it is still the most commonly used
 (there are rumors that there is even a Windows port). Ssh2 has many
-advantages over ssh1 except it is released under an closed-source
+advantages over ssh1 except it is released under a closed-source
 license. OpenSSH is completely free ssh daemon, which supports both
 ssh1 and ssh2. OpenSSH is the version installed on Debian when the
 package <package>ssh</package> is chosen.
@@ -4802,37 +4802,22 @@
 be retrieved remotely using an URL such as:
 http://your_apache_server/~user.
 
-<p>If you do not want to permit this you must change the 
-<file>/etc/apache/http.conf</file> configuration file which includes:
+<p>If you do not want to permit this you must change the
+<file>/etc/apache/http.conf</file> configuration file commenting out:
 
 <example>
-&lt;Directory /home/*/public_html&gt;
-    AllowOverride FileInfo AuthConfig Limit
-    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
-    &lt;Limit GET POST OPTIONS PROPFIND&gt;
-        Order allow,deny
-        Allow from all
-    &lt;/Limit&gt;
-    &lt;Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK&gt;
-        Order deny,allow
-        Deny from all
-    &lt;/Limit&gt;
-&lt;/Directory&gt;
+LoadModule userdir_module /usr/lib/apache/1.3/mod_userdir.so
 </example>
 
-Change it to:
+But if the module was linked statically, you can check this with
+<tt>apache -l</tt>, instead you must add:
 
 <example>
-&lt;Directory /home/*/public_html&gt;
-    AllowOverride None
-    Order deny,allow
-    Deny from all
-&lt;/Directory&gt;
+Userdir disabled
 </example>
 
-<p>Note: An attacker might still do user enumeration, since the answer
-of the web server will be a <em>403 Permission Denied</em> and not a
-<em>404 Not available</em>.
+<p>Note: The <tt>disabled</tt> keyword is only available in Apache 1.3
+and above.
 
 <sect1>Logfiles permissions