Date: Thu, 14 Aug 1997 01:40:39 -0700 (PDT)
From: Dean Gaudet <dgaudet@arctic.org>
To: new-httpd@apache.org
Subject: Re: directory restrictiosn in access.conf-dist 
In-Reply-To: <Pine.BSF.3.95q.970810130132.5620G-100000@valis.worldgate.com>
Message-ID: <Pine.LNX.3.95dg3.970814013808.6145f-100000@twinlark.arctic.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org


On Sun, 10 Aug 1997, Marc Slemko wrote:

> But the current setup defaults to having the fs readable and AllowOverride
> All by leaving it unspecified, no?  That is the way it has been forever. 
> Doing the changes I suggest make it more secure than it is now.  If you
> deny / you are going to have zillions of people asking why ~userdir
> requests don't work.  It will be even worse with systems where there is a
> symlink because people will be confused about if they should use the
> directory symlinked to, the symlink, etc. 

Put in an example /home/*/public_html section.

> I'm not sure what having a default deny helps.  It doesn't help prevent
> people symlinking.  People still need to have something setup somewhere
> to make Apache read from the directory.  I am all for default deny, but
> I'm not sure it makes sense in this case.

I've been thinking about changing the code to actually rewrite the
filename in consideration and restart at the root when traversing a
symlink ...

then I realised we were re-implementing chroot.

> Your suggestion about adding a way to do relative directories isn't bad
> though...

We would have to get rid of the special proxy: directory ... which is a
Good Thing to get rid of, since Location is much more correct for the
proxy.  Location just didn't exist when the proxy was started.  This is
something that would be nice to correct.

Unlike others, I vote for this in 1.3 not 2.0. 

Dean