httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael.Schro...@telekurs.de
Subject Antwort: Re: Antwort: htaccess tutorial
Date Tue, 23 Jul 2002 17:56:53 GMT

Hi Rich,


>> My first FAQ-like question to the document would be:
>> - How can I find out which AllowOverride settings are in
>>   effect if I just have a "webspace with .htaccess" but no
>>   direct access to the httpd.conf?
> OK, I'm stumped. How would you do that, other than blind
> experimentation? Perhaps it's just been a long day, but
> I can't think of any way to find out that information
> other than adding directives and seeing what happens.

I didn't say there _is_ a better solution than blind
experimentation.
Just stating that there is no better solution might be
worth a FAQ entry, like
     http://httpd.apache.org/docs/misc/FAQ.html#ssi-part-iii
is one of this kind.

I only experience that this is one of the frequent
problems of webspace users. And to make it even worse,
many of them have no error_log access, so all they
get is an Internal Server Error and don't even know
what happens, as they often are not aware of the fact
that a webspace packet "with .htaccess" is a heavily
underspecified statement.
I have never seen a webspace provider that exactly
describes which AllowOverride settings are actually
in effect, or even tells you that there are in fact
limitations.
I just see the problem from the webspace user's point
of view, and there may be more webspace users than
webmasters out there.

>> Your sentence "Carefully consider whether you want to give your
>> users this privilege." is of course correct, but sounds a little
>> like "so better give them less privileges". Which in real world
>> leads to web space providers that allow you to run your own CGI
>> scripts but deny you "AllowOverride Options" because of "security
>> reasons". You might add a line about that as well.
> Can you give me an example line that would serve this
> purpose. I'm not entirely sure what you're getting at.

Maybe something like "carefully consider whether you
want to give your users this privilege, but make this
decision dependent upon other privileges you already
gave them, like allowing them to execute their own
CGI scripts via a ScriptAlias directory - it won't
increase your security to deny them a feature they
can get by other means, so that you only limit their
comfort of working and perhaps even make your server
slower".
(Uh, my active English is really ugly ... I hope you
at least understand what I mean: I don't like web-
masters to force their users to re-implement half of
the Apache features via CGI just because they denied
them essential .htaccess features. If they are afraid
of security leaks they shouldn't allow CGI at all,
so if they allow CGI, why then limit AllowOverride?
Maybe this discussion goes beyond the article in
question ... maybe part of this stuff would rather
belong into http://httpd.apache.org/docs/misc/security_tips.html)
and just a pointer to it into the .htaccess docs.)

Regards, Michael



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message