httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn <gs-apache-...@gluelogic.com>
Subject Re: [PATCH] modify httpd.conf-dist defaults
Date Wed, 25 Jun 2003 14:51:34 GMT
Thanks for the comments.

On Tue, Jun 24, 2003 at 08:08:22PM -0400, Joshua Slive wrote:
> > - Changes defaults to disallow access to files unless explicitly allowed.
> 
> Although this is, in general, a good idea, I think it would cause many
> people to be confused.  I don't think it is a good idea to change it this
> late in the 1.3 series (even if it is only the default config file).

The default document root and example for homedirs both already contain
  order allow,deny
  allow from all
Anyone copying those examples would copy the "allow from all", too.

> > - Turns off CGICommandArgs
> 
> +1, but only if this directive is documented in the manual.  I see nothing
> on it at the moment.  (Obviously that's not your fault.)
> 
> > - On unix httpd-conf-dist, does not allow Emacs autosave or temporary files
> >   to be served (along with not allowing .ht* files).  Emacs keeps the same
> >   permission on its temp files, which is a poor choice.  (vi restricts
> >   permission to owner on its .swp files.)  Also gives a commented out example
> >   that additionally disallows *.bak, *.old, *.so, *.a, and *.o files.
> 
> I'm fine with the example, but I don't like enabling that by default.  It
> will cause too much confusion for too little gain.  (It is an ugly-looking
> regex and will inevitably hit some people who don't expect it.)

Should it be changed to <FilesMatch>?

I think it prudent to have it.  As an example: if you edit your PHP file
in Emacs, then someone can download the code of the backup file in
clear-text (DefaultType is text/plain).  If your PHP file contains
database username and password (bad idea, anyway -- use a protected include
file), then not only is your code exposed, but so is your database account.
And BTW, this is not a contrived example.  I've seen it numerous times.
(obligatory plug for vi)

As for the regex, it's better to have a single regex than many, many, many
simple ones, right?  Besides, I program Perl in addition to C, and so the
regex looks prettier than some of my Perl. :-)


Rather than rehashing the thread about default config files, how about
httpd.conf-compat?  Or a comment at the top of httpd.conf-dist that says
"These defaults are aimed at compatibility with previous releases.
Look for commented sections with more secure, recommended defaults."?
If so, I'll put together a patch.  Such commented additions would show up
just as well for people like myself who do diffs between my config file
and the httpd.conf-dist of a new release.

(I don't think I'm the only one that (used to) look at httpd.conf as
the "recommended configuration" for the "best version of Apache"
rather than as the most backwards compatible, even for a default file
which is not used by people who already have a config file.)

Cheers,
Glenn

Mime
View raw message