httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: directory restrictiosn in access.conf-dist
Date Sun, 10 Aug 1997 19:06:26 GMT
On Sun, 10 Aug 1997, Roy T. Fielding wrote:

> >I propose consolidating them into one Directory section covering /.  It
> >has the advantage of not making people edit access.conf depending on where
> >they install Apache.
> 
> That would be a bad configuration on any machine.  A good configuration
> always starts with something like

But the current setup defaults to having the fs readable and AllowOverride
All by leaving it unspecified, no?  That is the way it has been forever. 
Doing the changes I suggest make it more secure than it is now.  If you
deny / you are going to have zillions of people asking why ~userdir
requests don't work.  It will be even worse with systems where there is a
symlink because people will be confused about if they should use the
directory symlinked to, the symlink, etc. 

I'm not sure what having a default deny helps.  It doesn't help prevent
people symlinking.  People still need to have something setup somewhere
to make Apache read from the directory.  I am all for default deny, but
I'm not sure it makes sense in this case.

Your suggestion about adding a way to do relative directories isn't bad
though...

> 
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> order allow,deny
> deny from all
> </Directory>
> 
> and proceeds after that with more permissive sections like
> 
> <Directory /extra/fielding0/private/ws/apache/htdocs>
> Options Indexes FollowSymLinks MultiViews Includes
> AllowOverride All
> order allow,deny
> allow from all
> </Directory>
> 
> <Directory /extra/fielding0/private/ws/apache/icons>
> Options Indexes MultiViews
> AllowOverride None
> order allow,deny
> allow from all
> </Directory>
> 
> <Directory /extra/fielding0/private/ws/apache/cgi-bin>
> AllowOverride None
> Options None
> order allow,deny
> allow from all
> </Directory>
> 
> This provides for both a more efficient directory_walk and doesn't
> immediately open any (additional) security holes.
> 
> If you want to make the default configuration easier, then I suggest
> finding a way to make the argument of <Directory> a pathname relative
> to the server root.
> 
> ....Roy
> 


Mime
View raw message