httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matus \"fantomas\" Uhlar" <>
Subject Re: Auth*UserFile path ?
Date Fri, 10 May 2002 16:18:54 GMT
-> > I forgot to mention this - i think telling users the path is very bad
-> > idea. They should not know and need it. The path can change even.
-> Security through obscurity is rarely worth pursuing.  If you're allowing
-> the users to do anything like PHP or CGI -- really, anything beyond just
-> serving regular html files -- then they will be able to find a means of
-> determining the path to their files.

We are allowing cgi/php one one server, not allowing on another one. Even if
they have CGI/PHP allowed, they shouldn't use "static" absolute paths
because of the second reason.

-> The fact that the path can change may lead to some maintenance issues -
-> but then arbitrarily moving directories around isn't often a good idea
-> anyhow.

It will not lead to any mainteance issue - iff users will not use absolute

We take care about security also with chroot/jail etc, but i still think
telling/configuring absolute paths s bad idea. So i search for another

These are reasons I have. Now please help, think, advise - if you wouldn't
mind to spend your time. Thank you.
 Matus "fantomas" Uhlar, ;
 Warning: I don't wish to receive spam to this address.
 Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
 BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message