httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: "Forbid" directive in core?
Date Sat, 28 Sep 2013 17:20:49 GMT

Am 28.09.2013 18:21, schrieb Tim Bannister:
> On 28 Sep 2013, at 14:19, Eric Covener <covener@gmail.com> wrote:
> 
>> I've come back to this because I've struggled in another area with access_checker
vs. access_checker_ex.  I really think we need basic access control outside of Require and
Satisfy.
>>
>> I have a copy of the "Forbidden" directive in mod_authz_core and I am currrently
allowing ON/OFF flags.
>>
>> * using a new directive means someone won't casually add "forbidden OFF" when they
think they're turnong on more access control with Require
>> * we can document that "forbidden OFF" is extreme from the start.
>>
>> I am on the fence about having an argument at all.  My fear is that it will evolve
into a misguided FAQ of 'try forbidden OFF if you get a 403' then we're right back to
>>
>> <Files .ht*>
>> Forbidden
>> </Files>
>>
>> ...
>>
>> <Location />
>> ...
>> Require ldap-group cn=foo
>> Forbidden OFF
>> </location>
> 
> The second time in a few days, I'm going to suggest adding an optional parameter to a
directive. 
> 
> Taking a leaf out of cascading stylesheets, how about “Forbidden On Level=Important”
and perhaps “Forbidden On Level=Indelible”?
> 
> (the idea being that the “Indelible” level can't be removed).
> 
> 
> This lets distributions ship a fairly safe default configuration but gives users enough
scope to hang themselves. With this, “forbidden OFF” isn't so risky and “Forbidden Off
Level=Important” can carry a health warning (and perhaps an ErrorLog warning as well).
> 
> Too complex or worth having?

too complex and dangerous

nobody is able to say what is effective in wathever directory in case
of a lot of .conf-files including vhost-snippets which *all*
may contain <Directory>-directives

now you can say the last one wins and if needed name files with prefixes

with your proposal in production environments nobody knows what is state
of play because you have distribution-snippets from httpd package
*and* web-app-packages too and they may contain any variant even if
you say 100 times they most not ship it that way it does not help
the enduser which configure settings never get active while
thining he overrides

no - i want and need to be sure that if i create a zzzzz-my-overrides.conf
and include it at the end of httpd.conf it does what i expect


Mime
View raw message