httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Gifford <sgiff...@suspectclass.com>
Subject Re: [users@httpd] AllowOverride: Pros and Cons
Date Thu, 08 Jul 2010 06:40:40 GMT
On Thu, Jul 8, 2010 at 2:28 AM, James Corteciano <james@linux-source.org>wrote:
[ ... ]

> I am just concern about security matters that will produce if I will give
> the user full access on .htaccess (AllowOverride All) on their webroot?
>

AllowOverride All effectively allows a user who can create a .htaccess file
to access any file the Web server can read, and execute any code they would
like to as the Web server user.  From a security perspective it's equivalent
to giving the user a shell as the Web server user.  That may or may not be
consistent with your security objectives.

Hope this helps!

-----Scott.

Mime
View raw message