httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Drost" <chris.dros...@gmail.com>
Subject Re: v. 2.2 Documentation errors? (in mod/core.html#options and misc/security_tips.html#protectserverfiles)
Date Sat, 13 Dec 2008 18:21:58 GMT
On Sat, Dec 13, 2008 at 6:41 AM, Eric Covener <covener@gmail.com> wrote:
>
> It seems like the introductory text in the security tips section is
> okay, but the example chosen to illustrate the "normal URL mapping
> rules" is unfortunately chosen.(symlink) to illustrate  the "default
> to no access" directory container.
>
> --
> Eric Covener

The problems in the section become worse if symlinks have nothing to
do with the behavior claimed. AFAIK, without symlinks, there is no
"normal URL mapping rule" that lets you escape DocumentRoot. Well,
there are Aliases, but those are an explicit inclusion by the
webmaster of another file into the directory structure, anyway.

Come to think of it, if symlinks have nothing to do with it, then the
introductory text is in fact flat out wrong. Apache doesn't have a
feature of default access: You have to enable access explicitly with
Alias and DocumentRoot commands.

And it seems to me that the only case in which <Directory /> Deny from
all </Directory> changes anything at all, is when someone Aliases or
DocumentRoots a folder, but then forgets to add a <Directory
myfolder>Allow from all</Directory> section. But presumably, they
wanted it to be seen, so they would have added that directive in short
order anyway.

Maybe it's a useful Security Tip that you can deny access to a file or
directory that's otherwise within your DocumentRoot, with the Deny
from all directive. I don't know. But there should never be any reason
to put a Deny from all directive on a superfolder of your
DocumentRoot.  Because presumably either (a) it belongs on the
DocumentRoot directly, because you're doing Something Weird, or (b)
you'll just invalidate it later with an Allow from all directive on
your DocumentRoot.

-- Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message