httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matus \"fantomas\" Uhlar" <uh...@fantomas.sk>
Subject Re: Auth*UserFile path ?
Date Fri, 10 May 2002 16:18:54 GMT
-> > I forgot to mention this - i think telling users the path is very bad
-> > idea. They should not know and need it. The path can change even.
-> 
-> Security through obscurity is rarely worth pursuing.  If you're allowing
-> the users to do anything like PHP or CGI -- really, anything beyond just
-> serving regular html files -- then they will be able to find a means of
-> determining the path to their files.

We are allowing cgi/php one one server, not allowing on another one. Even if
they have CGI/PHP allowed, they shouldn't use "static" absolute paths
because of the second reason.


-> The fact that the path can change may lead to some maintenance issues -
-> but then arbitrarily moving directories around isn't often a good idea
-> anyhow.

It will not lead to any mainteance issue - iff users will not use absolute
paths.

We take care about security also with chroot/jail etc, but i still think
telling/configuring absolute paths s bad idea. So i search for another
solution.

These are reasons I have. Now please help, think, advise - if you wouldn't
mind to spend your time. Thank you.
-- 
 Matus "fantomas" Uhlar, uhlar@fantomas.sk ; http://www.fantomas.sk/
 Warning: I don't wish to receive spam to this address.
 Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
 BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message