You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "skrishnamur1@bloomberg.com" <sk...@bloomberg.com> on 2009/11/10 16:00:47 UTC
[users@httpd] DAV access control
Hi,
We are looking to setup SVN over apache, but it requires the use of DAV. There are apparently security concerns over the use of DAV over apache 2.2., in the sense that it would allow users to anonymously write content to apache, even outside of the context of SVN. Are there any workarounds to securely enable DAV and disallow anonymous writes etc... Pointers to relevant literature would be appreciated.
Thanks
Re: [users@httpd] AllowOverride
Posted by Ghislain Pruniaux <gh...@univ-fcomte.fr>.
Next time i will open my eyes
Thanks a lot
On 11/10/2009 05:13 PM, Eric Covener wrote:
> On Tue, Nov 10, 2009 at 11:04 AM, Pruniaux Ghislain
> <gh...@univ-fcomte.fr> wrote:
>> Hi,
>> Some users on my apache server need to use RewriteEngine in there directory.
>> They use .htaccess, but they say that does not work.
>> I think i must change AllowOverride for their directory (default is none) ,
>> but i could not find the AllowOverride directive for the RewriteEngine
>> (AuthConfig,FileInfo,Indexes,Limit,Options etc ..)
>
> Each directive lists the 'AllowOverride' that pertains to it:
>
> http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
> RewriteRule Directive
> Description: Defines rules for the rewriting engine
> Syntax: RewriteRule Pattern Substitution [flags]
> Context: server config, virtual host, directory, .htaccess
> Override: FileInfo
> ^^^^^
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AllowOverride
Posted by Eric Covener <co...@gmail.com>.
On Tue, Nov 10, 2009 at 11:04 AM, Pruniaux Ghislain
<gh...@univ-fcomte.fr> wrote:
> Hi,
> Some users on my apache server need to use RewriteEngine in there directory.
> They use .htaccess, but they say that does not work.
> I think i must change AllowOverride for their directory (default is none) ,
> but i could not find the AllowOverride directive for the RewriteEngine
> (AuthConfig,FileInfo,Indexes,Limit,Options etc ..)
Each directive lists the 'AllowOverride' that pertains to it:
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriterule
RewriteRule Directive
Description: Defines rules for the rewriting engine
Syntax: RewriteRule Pattern Substitution [flags]
Context: server config, virtual host, directory, .htaccess
Override: FileInfo
^^^^^
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] AllowOverride
Posted by Pruniaux Ghislain <gh...@univ-fcomte.fr>.
Hi,
Some users on my apache server need to use RewriteEngine in there directory.
They use .htaccess, but they say that does not work.
I think i must change AllowOverride for their directory (default is
none) , but i could not find the AllowOverride directive for the
RewriteEngine (AuthConfig,FileInfo,Indexes,Limit,Options etc ..)
Thanks
On 11/10/2009 04:00 PM, skrishnamur1@bloomberg.com wrote:
> Hi,
>
> We are looking to setup SVN over apache, but it requires the use of DAV.
> There are apparently security concerns over the use of DAV over apache
> 2.2., in the sense that it would allow users to anonymously write
> content to apache, even outside of the context of SVN. Are there any
> workarounds to securely enable DAV and disallow anonymous writes etc…
> Pointers to relevant literature would be appreciated.
>
> Thanks
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: DAV access control
Posted by LuKreme <kr...@kreme.com>.
On 10-Nov-2009, at 08:00, skrishnamur1@bloomberg.com wrote:
> We are looking to setup SVN over apache, but it requires the use of DAV.
requires? I though SVN over DAV was a particular configuration option?
> There are apparently security concerns over the use of DAV over apache 2.2.,
There are?
> in the sense that it would allow users to anonymously write content to apache, even outside of the context of SVN.
Er… no, I don't think so.
--
NEXT TIME IT COULD BE ME ON THE SCAFFOLDING
Bart chalkboard Ep. 2F12
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DAV access control
Posted by André Warnier <aw...@ice-sa.com>.
skrishnamur1@bloomberg.com wrote:
> Hi,
>
> We are looking to setup SVN over apache, but it requires the use of DAV. There are apparently security concerns over the use of DAV over apache 2.2., in the sense that it would allow users to anonymously write content to apache, even outside of the context of SVN. Are there any workarounds to securely enable DAV and disallow anonymous writes etc... Pointers to relevant literature would be appreciated.
>
There is nothing to stop you securing a <Location> handled by DAV, just
like you would secure any other section of your webspace.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org