httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: v. 2.2 Documentation errors? (in mod/core.html#options and misc/security_tips.html#protectserverfiles)
Date Sat, 13 Dec 2008 00:59:06 GMT
Christopher Drost wrote:
> 
> The error comes when misc/security_tips.html#protectserverfiles also
> claims a resolution to this problem. The resolution consists of
> sticking the directive:
> 
> <Directory />
>     Order Deny, Allow
>     Deny from all
> </Directory>

No, I don't believe it's claiming that this is the entire solution.  This
is one piece of a multi-layer puzzle.  The proper solution is to not allow
Options FollowSymLinks from *any* untrusted (user modifiable) system path.

Only root-owned directories should be set to allow FollowSymLinks
(which is much faster) while the user controlled directories should not.

If the documentation is unclear, I'd agree this needs to be clarified.

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message