httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eli" <eli-l...@experthost.com>
Subject RE: [users@httpd] Getting more control over security/permission settings
Date Wed, 01 Sep 2004 18:37:09 GMT
Joshua Slive wrote:
> On Wed, 1 Sep 2004 13:54:49 -0400, Eli <eli-list@experthost.com>
> wrote: 
>> By having the FrontPage extensions on the server, I am required to
>> set "AllowOverride All" to the root folder of all my websites, so
>> that the FrontPage extensions stuff can work - it creates .htaccess
>> files with "Options" settings and such to try and control security
>> per directory.  I don't believe there is any way around this problem
>> with the FrontPage extensions, as my problems would be instantly
>> solved if I could instead just use FilesMatch to create one global
>> regex type set of permissions for the special FrontPage folders. 
>> This isn't the case however :P 
> 
> Obviously this is a frontpage problem, and you're not going to have
> much help rearchitecting the entire config structure of apache to get
> around frontpage.

Quite true.  I thought my suggestions may be of use for other scenarios as
well though - not sure what they would be, but you can never rule out what
someone may want/try to do with something given the ability ;P  It would be
nice to have a finer grain of control over how things are parsed/loaded with
regards to permissions in Apache.

> But you can probably take advantage of some of the fine points listed
> here: http://httpd.apache.org/docs-2.0/sections.html
> 
> For example,
> <Location />
> Options -ExecCGI
> </Location>
> should disable CGI everywhere and should not be overridable through
> .htaccess. 

Wow - I had no idea I could use Options inside Location.  This is *perfect*
for a solution right now.  I can specify this inside the VirtualHost
directives, yet Location is not permitted in .htaccess files.  Thank you!!
(to save face, the documentation doesn't seem to mention that Options is
allowed in <Location>... Oversight, or do they assume it should be deemed
identical to <Directory> ?)

> Other possibilities are more social: define a policy for what is
> allowed in .htaccess, plus a regular cron job to scan .htaccess files
> to make sure they match that policy.  Then kick off anyone who breaks
> your policy.

A posibility, however lots of work (by me and the system) to do something
like that.

Thanks again for the Location tip!

Eli.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message