Topic: iBay folder contents listing

[axessit]

Was just doing some tinkering on a public website I host on an iBay and realised the contents, well at least the contents of a sub folder (html/images) can be listed. So I figured out how to stop it from https://wiki.contribs.org/DB_Variables_Configuration#Ibay and so set the

Code: [Select]

db accounts setprop ibayname Indexes disabled, then

Code: [Select]

signal-event ibay-modify ibayname and all was good.
 
This server has been upgraded from v7 when the ibay was first created, thru v8 a few years ago then more recently to v9.2 via clean install/recover from full backup, but wondering if this property was ever set as it wasn't defined.

Should it not be disabled by default as a more secure approach ?

[mmccarn]

I do not see anything in the default accounts database settings that would be setting "Indexes" to disabled (/etc/e-smith/db/accounts/defaults/)

And it looks like the default setting in the relevent template fragment for httpd.conf defaults to 'enabled' if there is no entry in the database (/etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays)

simply changing the default might cause problems for existing servers that depend on the current behavior (it's pretty frustrating when a simple 'yum update' breaks something that has been working, as I suspect you know...)

I don't know if there's a way to set a default value of 'Indexes' for new ibays, or for all ibays on new servers.  If we could do that we wouldn't need to make any changes to /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays, so there would be less chance of breaking anyone's running server.