Received: (from majordom@localhost)
	by hyperreal.org (8.8.5/8.8.5) id FAA26030;
	Sun, 10 Aug 1997 05:09:13 -0700 (PDT)
Received: from paris.ics.uci.edu (mmdf@paris.ics.uci.edu [128.195.1.50])
	by hyperreal.org (8.8.5/8.8.5) with SMTP id FAA26026
	for <new-httpd@apache.org>; Sun, 10 Aug 1997 05:09:10 -0700 (PDT)
Received: from kiwi.ics.uci.edu by paris.ics.uci.edu id aa05844;
          10 Aug 97 5:05 PDT
To: new-httpd@apache.org
Subject: Re: directory restrictiosn in access.conf-dist 
In-reply-to: Your message of "Sun, 10 Aug 1997 01:09:17 MDT."
             <Pine.BSF.3.95q.970810010612.7198Y-100000@valis.worldgate.com>
Date: Sun, 10 Aug 1997 04:45:51 -0700
From: "Roy T. Fielding" <fielding@kiwi.ics.uci.edu>
Message-ID: <9708100505.aa05844@paris.ics.uci.edu>
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

>I propose consolidating them into one Directory section covering /.  It
>has the advantage of not making people edit access.conf depending on where
>they install Apache.

That would be a bad configuration on any machine.  A good configuration
always starts with something like

<Directory />
Options FollowSymLinks
AllowOverride None
order allow,deny
deny from all
</Directory>

and proceeds after that with more permissive sections like

<Directory /extra/fielding0/private/ws/apache/htdocs>
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride All
order allow,deny
allow from all
</Directory>

<Directory /extra/fielding0/private/ws/apache/icons>
Options Indexes MultiViews
AllowOverride None
order allow,deny
allow from all
</Directory>

<Directory /extra/fielding0/private/ws/apache/cgi-bin>
AllowOverride None
Options None
order allow,deny
allow from all
</Directory>

This provides for both a more efficient directory_walk and doesn't
immediately open any (additional) security holes.

If you want to make the default configuration easier, then I suggest
finding a way to make the argument of <Directory> a pathname relative
to the server root.

....Roy