Received: by taz.hyperreal.com (8.6.12/8.6.5) id XAA20388; Tue, 2 Jul 1996 23:52:06 -0700 Received: from fully.organic.com by taz.hyperreal.com (8.6.12/8.6.5) with ESMTP id XAA20383; Tue, 2 Jul 1996 23:52:02 -0700 Received: from localhost (brian@localhost) by fully.organic.com (8.6.12/8.6.12) with SMTP id GAA28160 for ; Wed, 3 Jul 1996 06:56:15 GMT X-Authentication-Warning: fully.organic.com: brian owned process doing -bs Date: Tue, 2 Jul 1996 23:56:15 -0700 (PDT) From: Brian Behlendorf To: new-httpd@hyperreal.com Subject: Re: access.conf changes In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-new-httpd@apache.org Precedence: bulk Reply-To: new-httpd@hyperreal.com On Tue, 2 Jul 1996, Alexei Kosut wrote: > On Tue, 2 Jul 1996, Brian Behlendorf wrote: > > > Here are the changes to access.conf to make it more secure, per > > suggestions by Roy. I, too, found it extremely puzzling the more I dug > > into it. For example, why would you have the "Indexes" option turned on > > for the cgi-bin directory?!?! And why document the XBitHack directive in > > Probably so you can set up an index file there. Makes sense to me. Setting "Indexes" turns on directory indexing, so the lack of an index.html or index.cgi or whatever means that a full listing of all CGI programs can be obtained. I thought in fact we specifically disallowed that? Hmm. > > 2) Changed "AllowOverride All" to "AllowOverride None". > > Is this a good idea? Hmm. I'm not sure. See below, at any rate. > ... > > # This controls which options the .htaccess files in directories can > > # override. Can also be "None", or any combination of "Options", "FileInfo", > > # "AuthConfig", and "Limit" > > > > ! AllowOverride None > > If you change the All to None, you then need to change the None to All > in the comment. Righto. I take it this is my third +1? Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS