Return-Path: 
 <users-return-44760-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 71820 invoked from network); 1 Sep 2004 18:38:08 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur-2.apache.org with SMTP; 1 Sep 2004 18:38:08 -0000
Received: (qmail 3252 invoked by uid 500); 1 Sep 2004 18:37:24 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 3150 invoked by uid 500); 1 Sep 2004 18:37:23 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
list-post: <mailto:users@httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 3062 invoked by uid 99); 1 Sep 2004 18:37:22 -0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=
X-Spam-Check-By: apache.org
Received-SPF: pass (hermes.apache.org: local policy)
Received: from [216.15.246.3] (HELO Experthost.com) (216.15.246.3)
  by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 01 Sep 2004 11:37:17 -0700
Received: from eli [216.209.84.151] by Experthost.com with ESMTP
  (SMTPD32-8.05) id A67F27D0178; Wed, 01 Sep 2004 14:35:43 -0400
Reply-To: <eli-list@experthost.com>
From: "Eli" <eli-list@experthost.com>
To: "'Joshua Slive'" <jslive@gmail.com>,
	<users@httpd.apache.org>
Date: Wed, 1 Sep 2004 14:37:09 -0400
Message-ID: <000b01c49052$b07d3490$c200000a@eli>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6626
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
In-Reply-To: <e498c166040901110335d73f3f@mail.gmail.com>
X-Virus-Checked: Checked
Subject: RE: [users@httpd] Getting more control over security/permission
 settings
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Joshua Slive wrote:
> On Wed, 1 Sep 2004 13:54:49 -0400, Eli <eli-list@experthost.com>
> wrote:=20
>> By having the FrontPage extensions on the server, I am required to
>> set "AllowOverride All" to the root folder of all my websites, so
>> that the FrontPage extensions stuff can work - it creates .htaccess
>> files with "Options" settings and such to try and control security
>> per directory.  I don't believe there is any way around this problem
>> with the FrontPage extensions, as my problems would be instantly
>> solved if I could instead just use FilesMatch to create one global
>> regex type set of permissions for the special FrontPage folders.=20
>> This isn't the case however :P=20
>=20
> Obviously this is a frontpage problem, and you're not going to have
> much help rearchitecting the entire config structure of apache to get
> around frontpage.

Quite true.  I thought my suggestions may be of use for other scenarios =
as
well though - not sure what they would be, but you can never rule out =
what
someone may want/try to do with something given the ability ;P  It would =
be
nice to have a finer grain of control over how things are parsed/loaded =
with
regards to permissions in Apache.

> But you can probably take advantage of some of the fine points listed
> here: http://httpd.apache.org/docs-2.0/sections.html
>=20
> For example,
> <Location />
> Options -ExecCGI
> </Location>
> should disable CGI everywhere and should not be overridable through
> .htaccess.=20

Wow - I had no idea I could use Options inside Location.  This is =
*perfect*
for a solution right now.  I can specify this inside the VirtualHost
directives, yet Location is not permitted in .htaccess files.  Thank =
you!!
(to save face, the documentation doesn't seem to mention that Options is
allowed in <Location>... Oversight, or do they assume it should be =
deemed
identical to <Directory> ?)

> Other possibilities are more social: define a policy for what is
> allowed in .htaccess, plus a regular cron job to scan .htaccess files
> to make sure they match that policy.  Then kick off anyone who breaks
> your policy.

A posibility, however lots of work (by me and the system) to do =
something
like that.

Thanks again for the Location tip!

Eli.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org