You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ha...@lanl.gov> on 1996/06/25 23:09:43 UTC
[Fwd: Apache (?and others) access control gotcha]
I've just stumbled across a security gotcha in Apache 1.03, which I
suspect probably affects other NCSA derived Web servers.
Briefly, the security policy established in the
<Directory /server/root/directory>
...
</Directory>
section of access_conf does *not* control security over individual
user's public html spaces, and neither does any section
<Directory /home/username/public_html>
...
</Directory>
In other words, as far as I can see you can't control access to
individual user's public html spaces from the global access_conf file
(you can of course control it with .htaccess files in their space).
This isn't precisely a bug, but it's an undocumented feature which I
find counter-intuitive. You may wish to check whether users' space on
your server is as secure as you expect it to be (directory indexes,
for example?).
--
------- simon@galloway.co.uk (Simon Brooke) http://www.galloway.co.uk/~simon
Ye hypocrites! are these your pranks? To murder men and give God thanks?
Desist, for shame! Proceed no further: God won't accept your thanks for murther
-- Roburt Burns, 'Thanksgiving For a National Victory'
Re: [Fwd: Apache (?and others) access control gotcha]
Posted by Alexei Kosut <ak...@organic.com>.
On Tue, 25 Jun 1996, Rob Hartill wrote:
> In other words, as far as I can see you can't control access to
> individual user's public html spaces from the global access_conf file
> (you can of course control it with .htaccess files in their space).
Baloney. You can, and I have. My bet is he's screwed something up.
Sometimes Unix systems are set up with different ways to access a home
directory (/home, /users, whatever), and the one listed in <Directory>
needs to be, of course, the one Apache thinks its using; if you put
<Directory /home/akosut> and Apache has translated ~akosut to
/users/akosut, that section doesn't mean a thing.
*shrug*
-- Alexei Kosut <ak...@organic.com> The Apache HTTP Server
http://www.nueva.pvt.k12.ca.us/~akosut/ http://www.apache.org/