Possibly ambiguate web 404/403 error messages?

[alexander-bauer]

As it stands, a malicious person could use a tool like dirbuster to discover the directory tree structure of directories being served by Grove. They could do this by finding 403: Forbidden messages, which indicate that a file or directory exists, but is not being served.

It would be relatively simple to just change http.StatusForbidden reports to http.StatusNotFound for web access, and thereby protect against the "attack". Is it worth it?

[alexander-bauer]

@lukevers, @inhies, and @dansup, do you have any input on this?

[inhies]

I think it makes more sense to keep the 403 response. There should be no harm in letting someone know you have a directory that you aren't sharing.

Sasha Crofter notifications@github.com wrote:

@lukevers, @inhies, and @dansup, do you have any input on this?

---

Reply to this email directly or view it on GitHub: https://github.com/SashaCrofter/grove/issues/103#issuecomment-15786116

Sent from my Android device with K-9 Mail. Please excuse my brevity.

[alexander-bauer]

Maybe have 403 for top level non-shared directories, and 404 for everything underneath?

[alexander-bauer]

I don't think this is urgent enough to really warrant keeping it as a goal for 1.0. If there's no more discussion, it can be closed. Otherwise, I'm just removing the milestone.

[lukevers]

I'm kind of leaning towards what @inhies is saying, but I understand your concern, @SashaCrofter. Grove generally is not run (or at least I hope not) from any root directory that could contain important files. Generally, the idea is to have a development section on your harddrive like how the both of us generally use ~/dev. Although I understand your want for some more security, people are responsible for what they share.

[alexander-bauer]

@lukevers right; my concern has more to do with the unintended complexity of not sharing certain directories. If I, for example, recursively make my development directory globally readable, as Grove requires (chmod -R o+rX ~/dev), then realize that I have some projects I wouldn't want to share (~/dev/secret), then I would want to make those unreadable. The correct thing to do would be to chmod -R o-rX ~/dev/secret, but someone could easily only do chmod o-rX ~/dev/secret. That would mean that anyone who discovered the existence of ~/dev/secret via the presence of a 403 could access any of the below directories.

Of course, any application has the potential to screw the user over by means of file permissions, and not too many people have extremely sensitive projects in their development directory, and even fewer would chmod -R o+rX them anyway. I just wanted to see what everyone else thought about the risk before I write it off as negligible.

[lukevers]

I believe that Grove should check if ~/dev/secret is readable, and if it's not, then anything in ~/dev/secret from there on, regardless of a 404 error or not, should be 403. Sending a 403: Forbidden message does not necessarily mean that there's a file there, it could also just mean that you have absolutely no permissions to view anything in that directory as it is. If I'm not mistaken, I believe that's how Apache actually handles that as well.

[dansup]

I like Luke's idea

Sent from my iPhone

On 2013-04-02, at 2:03 PM, Luke Evers notifications@github.com wrote:

I believe that Grove should check if ~/dev/secret is readable, and if it's not, then anything in ~/dev/secret from there on, regardless of a 404 error or not, should be 403. Sending a 403: Forbidden message does not necessarily mean that there's a file there, it could also just mean that you have absolutely no permissions to view anything in that directory as it is. If I'm not mistaken, I believe that's how Apache actually handles that as well.

— Reply to this email directly or view it on GitHub.