httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject 1.1b5 access.conf
Date Tue, 02 Jul 1996 00:24:55 GMT
I am puzzled by the example access.conf provided with the distribution --
puzzled because it doesn't seem to be a very good example.  In fact,
I would almost call it a security hole in the sense that it allows
access in an uncontrolled way, without giving an example of how to
control it.  For example, I have the following in my access.conf
which are not represented in 1.1b5:

# All directories not mentioned below are off-limits, but allow
# symlinks to be followed for automounters

<Directory />
AllowOverride None
Options FollowSymLinks
<Limit GET POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

# For security reasons, CGI script directories must not allow overrides

<Directory /usr/local/etc/httpd/cgi-bin>
AllowOverride None
Options ExecCGI
<Limit GET POST>
order allow,deny
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>
 
# The DocumentRoot is assumed to be under our control

<Directory /usr/local/etc/httpd/htdocs>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes FollowSymLinks IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

# likewise the server's own icons directory

<Directory /usr/local/etc/httpd/icons>
AllowOverride None
Options Indexes
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

# User Directories are assumed not to be under control

<Directory /*/public_html*>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET>
order allow,deny
allow from all
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
</Directory>

==================================================================

Obviously, my defaults (a University site) do not apply everywhere,
but I'd prefer a stricter default setup than what we currently ship.
The question is: are the above restrictions "reasonable", and should we

   a) add them to the access.conf-dist
   b) add them, but commented-out, to the access.conf-dist
   c) not add them at all

This would probably have no effect on existing sites, since most
people just move their old ones over from the prior release.

.....Roy

Mime
View raw message