httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@hyperreal.com>
Subject access.conf changes
Date Wed, 03 Jul 1996 05:09:35 GMT

Here are the changes to access.conf to make it more secure, per
suggestions by Roy.  I, too, found it extremely puzzling the more I dug
into it.  For example, why would you have the "Indexes" option turned on
for the cgi-bin directory?!?!  And why document the XBitHack directive in
here, when there are lots of others not documented?  

Here are the changes I made:

1) Removed <Limit> directives.

2) Changed "AllowOverride All" to "AllowOverride None".

3) Move the section on /cgi-bin/ to the bottom, give it "Options None" and
   "AllowOverride None".

4) Removed documentation on XBitHack directive (there's no reason for that
   to be there when other directives aren't, it was confusing things)

5) Commented out status suggested lines.


Ugh.  I've been agonizing over this for the last two hours. 
Unfortunately, these are not a few changes, and they change the default
functionality, even though it does make Apache more secure "out of the
box".  I am extremely torn as to whether to do this - I don't think I
could have just done one without questioning the others too. 

Well, here it is.  It's now 10pm PST, 7am GMT.  Now that I have sat down
and actually looked at this, I feel pretty strongly that the current
access.conf is unacceptible.  Tell you what - I'll implement the other
suggestions, and go through all the motions of building 1.1 final except
this - and at 7am PST/4pm GMT I'll see if there are three more +1's to
this suggested change.  If there are, I'll make the change, build the
distribution, and then release it to the binary builders, and we can still
announce it publicly Wednesday afternoon.  If any vetos come up in that
time, we'll nix it and move on.  


Here's the patch.

Index: access.conf-dist
===================================================================
RCS file: /export/home/cvs/apache/conf/access.conf-dist,v
retrieving revision 1.2
diff -C3 -r1.2 access.conf-dist
*** access.conf-dist	1996/04/11 06:05:49	1.2
--- access.conf-dist	1996/07/03 05:01:53
***************
*** 10,20 ****
  
  # Originally by Rob McCool
  
- # /usr/local/etc/httpd/ should be changed to whatever you set ServerRoot to.
- <Directory /usr/local/etc/httpd/cgi-bin>
- Options Indexes FollowSymLinks
- </Directory>
- 
  # This should be changed to whatever you set DocumentRoot to.
  
  <Directory /usr/local/etc/httpd/htdocs>
--- 10,15 ----
***************
*** 27,70 ****
  
  Options Indexes FollowSymLinks
  
- # This option allows you to turn on the XBitHack behavior, which allows you
- # to make text/html server-parsed by activating the owner x bit with chmod. 
- # This directive may be used wherever Options may, and has three
- # possible arguments: Off, On or Full. If set to full, Apache will also
- # add a Last-Modified header to the document if the group x bit is set.
- 
- # Unless the server has been compiled with -DXBITHACK, this function is
- # off by default. To use, uncomment the following line:
- 
- #XBitHack Full
- 
  # This controls which options the .htaccess files in directories can
  # override. Can also be "None", or any combination of "Options", "FileInfo", 
  # "AuthConfig", and "Limit"
  
! AllowOverride All
  
  # Controls who can get stuff from this server.
  
- <Limit GET>
  order allow,deny
  allow from all
- </Limit>
  
  </Directory>
  
  # Allow server status reports, with the URL of http://servername/status
  # Change the ".nowhere.com" to match your domain to enable.
  
! <Location /status>
! SetHandler server-status
  
! <Limit GET>
! order deny,allow
! deny from all
! allow from .nowhere.com
! </Limit>
! </Location>
  
  # You may place any other directories or locations you wish to have
  # access information for after this one.
--- 22,58 ----
  
  Options Indexes FollowSymLinks
  
  # This controls which options the .htaccess files in directories can
  # override. Can also be "None", or any combination of "Options", "FileInfo", 
  # "AuthConfig", and "Limit"
  
! AllowOverride None
  
  # Controls who can get stuff from this server.
  
  order allow,deny
  allow from all
  
  </Directory>
  
+ # /usr/local/etc/httpd/cgi-bin should be changed to whatever your ScriptAliased
+ # CGI directory exists, if you have that configured.
+ 
+ <Directory /usr/local/etc/httpd/cgi-bin>
+ AllowOverride None
+ Options None
+ </Directory>
+ 
  # Allow server status reports, with the URL of http://servername/status
  # Change the ".nowhere.com" to match your domain to enable.
  
! #<Location /status>
! #SetHandler server-status
  
! #order deny,allow
! #deny from all
! #allow from .nowhere.com
! #</Location>
  
  # You may place any other directories or locations you wish to have
  # access information for after this one.



Mime
View raw message