5

Im attempting to secure the mod_userdir module in apache..

Currently the directory structure for my users sites is

/home/{user}/domains/{domain}/public_html/site

The issue is, a number of my users store files that shouldnt be stored in the /domains/ directory (private files), but they do, and id rather work round it than make them move them.

Basically I have denied access to all directories in /{domain}/, except public_html, HOWEVER, files can still be viewed.

Here is my usermod.conf config.

<IfModule mod_userdir.c>
    UserDir /home/*/domains
    UserDir disabled root
    <Directory /home/*/domains/*/*>
            Order allow,deny
            Deny from all
    </Directory>

    <FilesMatch /home/*/domains/*/*>
            Order deny,allow
            Deny from all
    </FilesMatch>
    <Directory /home/*/domains/*/public_html>
            Order allow,deny
            Allow from all
    </Directory>

    <Directory /home/*/domains>
            AllowOverride FileInfo AuthConfig Limit Indexes
            Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
            <Limit GET POST OPTIONS>
                    Order allow,deny
                    Allow from all
            </Limit>
            <LimitExcept GET POST OPTIONS>
                    Order deny,allow
                    Deny from all
            </LimitExcept>
    </Directory>

You can see how I have tried to remove access to the files in /{domain}/ with , however this just isnt working.

Any help would be appreciated.

Brad Morris
  • 241
  • 2
  • 12

2 Answers2

1

Maybe your problem is in the FilesMatch directive; FilesMatch uses regex to match directives, therefore, to obtain what you want, you should write:

<FilesMatch "/home/.*/domains/.*/.*">
    Order deny,allow
    Deny from all
</FilesMatch>
Marco Bizzarri
  • 1,318
  • 1
  • 11
  • 11
  • This did not work, for reference.. Here is an example of the directory of which the files I am trying to hide reside in http://109.224.135.26/~brad/bradleymorris.co.uk/ That maps to /home/brad/domains/bradleymorris.co.uk – Brad Morris Jul 29 '11 at 18:53
1

I don't believe you can specify a path in any of the Files directives. And also it doesn't look like you really need the FilesMatch directive, as you aren't really using any complex pattern to require regex's. I usually put my Files directives inside the directory though to make it simple.

This seemed to work for me with a setup similar to yours. Under /var/www/domains there is 1/ 2/ and 3/ each with various html files. None are accessible now.

<Directory /var/www/domains/*/>
        Options None
        AllowOverride None
        Order Allow,Deny
        Deny from All
        <Files *>
                Order Allow,Deny
                Deny from All
        </Files>
</Directory>
Nicholi
  • 283
  • 1
  • 10