Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 3340 invoked from network); 8 Jul 2010 07:03:39 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 8 Jul 2010 07:03:39 -0000 Received: (qmail 88798 invoked by uid 500); 8 Jul 2010 07:03:36 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 88570 invoked by uid 500); 8 Jul 2010 07:03:33 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 88562 invoked by uid 99); 8 Jul 2010 07:03:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Jul 2010 07:03:32 +0000 X-ASF-Spam-Status: No, hits=3.2 required=10.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_SOFTFAIL X-Spam-Check-By: apache.org Received-SPF: softfail (nike.apache.org: transitioning domain of james@linux-source.org does not designate 209.85.210.45 as permitted sender) Received: from [209.85.210.45] (HELO mail-pz0-f45.google.com) (209.85.210.45) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Jul 2010 07:03:26 +0000 Received: by pzk10 with SMTP id 10so434716pzk.18 for ; Thu, 08 Jul 2010 00:03:03 -0700 (PDT) MIME-Version: 1.0 Received: by 10.142.136.1 with SMTP id j1mr9312765wfd.30.1278572196028; Wed, 07 Jul 2010 23:56:36 -0700 (PDT) Received: by 10.142.186.1 with HTTP; Wed, 7 Jul 2010 23:56:35 -0700 (PDT) In-Reply-To: References: Date: Thu, 8 Jul 2010 14:56:35 +0800 Message-ID: From: James Corteciano To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=000e0cd32cc6906407048adac9a2 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] AllowOverride: Pros and Cons --000e0cd32cc6906407048adac9a2 Content-Type: text/plain; charset=ISO-8859-1 Hi Scott, That helps. Thanks. James On Thu, Jul 8, 2010 at 2:40 PM, Scott Gifford wrote: > On Thu, Jul 8, 2010 at 2:28 AM, James Corteciano wrote: > [ ... ] > >> I am just concern about security matters that will produce if I will give >> the user full access on .htaccess (AllowOverride All) on their webroot? >> > > AllowOverride All effectively allows a user who can create a .htaccess file > to access any file the Web server can read, and execute any code they would > like to as the Web server user. From a security perspective it's equivalent > to giving the user a shell as the Web server user. That may or may not be > consistent with your security objectives. > > Hope this helps! > > -----Scott. > > --000e0cd32cc6906407048adac9a2 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi Scott,=A0

That helps. Thanks.

James

On Thu, Jul 8, 2010 at 2:40 PM, S= cott Gifford <sgifford@suspectclass.com> wrote:

On Thu, Jul 8, 2010 at 2:28 AM, James Corte= ciano <james@linux-source.org> wrote:
[ ... ]

I am just concern about security matters that will produce if I will g= ive the user full access on .htaccess (AllowOverride All) on their webroot?=

AllowOverride All effectively = allows a user who can create a .htaccess file to access any file the Web se= rver can read, and execute any code they would like to as the Web server us= er. =A0From a security perspective it's equivalent to giving the user a= shell as the Web server user. =A0That may or may not be consistent with yo= ur security objectives.

Hope this helps!

-----Scott.

--000e0cd32cc6906407048adac9a2--