You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by BAO RuiXian <ba...@atbusiness.com> on 2002/08/23 11:35:28 UTC
Re: Start laughing already - securing files with Apache and
Windowsquestion
Why not, since the directory is protected? Or the protection level is not high enough?
Bao
"J. Greenlees" wrote:
> no, you don't want it in any directory that a browser will access.
> only ever put password files outside of web structure directories.
>
> BAO RuiXian wrote:
>
> >Boyle Owen wrote:
> >
> >>(4) You put the password file anywhere you like EXCEPT inside the docroot
> >>
> >>*** I think this might be what was confusing you. You can put the file anywhere at all - there is no special place for it. However, you have made one big mistake which is to put it under your docroot (D:/web). This won't stop it working but it is not very secure since it means a browser can see it! move it somewhere unbrowseable like D:/pwds.
> >>
> >
> >Just for peculiarity, can we put the password file into the protected directory itself? I think it should also be safe.
> >
> >Bao
--
BAO RuiXian, PROGRAMMER, Project Consulting Team, Software Services Group
AtBusiness Communications Corporation, Kaapeliaukio 1, FIN-00180 Helsinki
Telephone +358-9-2311 6674, Mobile +358-50-329 6275, Fax +358-9-2311 6601
Web: www.atbusiness.com, Email: {bao.ruixian, ruixian.bao}@atbusiness.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Start laughing already - securing files with Apache and Windowsquestion
Posted by Zac Stevens <zt...@cryptocracy.com>.
On Fri, Aug 23, 2002 at 03:23:25AM -0700, J. Greenlees wrote:
> well, look up the press reports from when windoes 1.0 came out, you will
> find a quote from mr evil gates itself to show them.
When Windows 1.0 was released, neither Linux nor {Free|Open|Net}BSD
existed. Both have come a long way in the time since.
In any event, I don't think the platform propagandising is really
appropriate for this forum. Could you please take it off-list?
Cheers,
Zac
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Start laughing already - securing files with Apache and
Windowsquestion
Posted by "J. Greenlees" <ja...@shaw.ca>.
~LOL~
well, look up the press reports from when windoes 1.0 came out, you will
find a quote from mr evil gates itself to show them.
~g~
then point out that they have to pay for every copy of win at 150 (cdn)
each, with the *nix it is only what 70 (cdn) for the single copy you
have to buy..unless downloading it then only the blank cd's is the cost.
the size you mention win costs them thousands for upgrades and in repair
bills.
if the security risk doesn't bother them, the savings might help.
if you have a notebook, but a new version of linux on it and show them
that is is as easy to use as win.
just a bit more complicated to setup. ~l~
but I'll never buy anything for win again.
concidering buying maya though, thier linux version runs better than the
original version ( mac)
but at 7 thouand us for it it's a bit steep.
Koen Vingerhoets wrote:
>Tell my bosses...
>The online game I run is more secure then our three servers with sensitive
>data (adress, mail, phone) from over 500 companies and their employees :(
>*sighs sadly*
>
>Koen
>
>
>-----Original Message-----
>From: J. Greenlees [mailto:jaqui@shaw.ca]
>Sent: 23 August 2002 12:06
>To: users@httpd.apache.org
>Subject: Re: Start laughing already - securing files with Apache and
>Windowsquestion
>
>
>well, for starters, it iis a bad practice to leave security data accessable.
>then with a win based server, you have security holes being used all the
>time by people that hate microsoft. ( outlook express attracts email
>viri, iis has, that I have heard of, over 20 security holes in it )
>apache is more secure, but the os is not secure, no matter what you do,
>so never leave any security related documentation for the server where
>people could conceivable access it.
>( being polite here, spend to much time repairing computers with
>microsoft os to like it, specially when *nix systems don't have the
>same problems.)
>
>did you know that windows was written for the sole purpose of playing
>games? that is it, it is only meant for home users to play games on.
>
>most professionals actually concider windows to be a completely
>non-professions os/ui
>( win nt, 2k, and xp do still require dos, even though microsoft says
>otherwise.)
>* check your windows\ system32 dir for ntdos*.sys, there are four
>different ones in there
>wish I still had the email from alias-wavefront, where one of there
>staff told me that the creators of maya 3d modelling animation package
>do not concider win to be professional os.
>
>maya is owned by alias-wavefront. :-)
>
>
>BAO RuiXian wrote:
>
>>Why not, since the directory is protected? Or the protection level is not
>>
>high enough?
>
>>Bao
>>
>>"J. Greenlees" wrote:
>>
>>>no, you don't want it in any directory that a browser will access.
>>>only ever put password files outside of web structure directories.
>>>
>>>BAO RuiXian wrote:
>>>
>>>>Boyle Owen wrote:
>>>>
>>>>>(4) You put the password file anywhere you like EXCEPT inside the
>>>>>
>docroot
>
>>>>>*** I think this might be what was confusing you. You can put the file
>>>>>
>anywhere at all - there is no special place for it. However, you have made
>one big mistake which is to put it under your docroot (D:/web). This won't
>stop it working but it is not very secure since it means a browser can see
>it! move it somewhere unbrowseable like D:/pwds.
>
>>>>Just for peculiarity, can we put the password file into the protected
>>>>
>directory itself? I think it should also be safe.
>
>>>>Bao
>>>>
>>--
>>BAO RuiXian, PROGRAMMER, Project Consulting Team, Software Services Group
>>AtBusiness Communications Corporation, Kaapeliaukio 1, FIN-00180 Helsinki
>>Telephone +358-9-2311 6674, Mobile +358-50-329 6275, Fax +358-9-2311 6601
>>Web: www.atbusiness.com, Email: {bao.ruixian, ruixian.bao}@atbusiness.com
>>
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: Start laughing already - securing files with Apache and Windowsquestion
Posted by Koen Vingerhoets <ko...@ubench.com>.
Tell my bosses...
The online game I run is more secure then our three servers with sensitive
data (adress, mail, phone) from over 500 companies and their employees :(
*sighs sadly*
Koen
-----Original Message-----
From: J. Greenlees [mailto:jaqui@shaw.ca]
Sent: 23 August 2002 12:06
To: users@httpd.apache.org
Subject: Re: Start laughing already - securing files with Apache and
Windowsquestion
well, for starters, it iis a bad practice to leave security data accessable.
then with a win based server, you have security holes being used all the
time by people that hate microsoft. ( outlook express attracts email
viri, iis has, that I have heard of, over 20 security holes in it )
apache is more secure, but the os is not secure, no matter what you do,
so never leave any security related documentation for the server where
people could conceivable access it.
( being polite here, spend to much time repairing computers with
microsoft os to like it, specially when *nix systems don't have the
same problems.)
did you know that windows was written for the sole purpose of playing
games? that is it, it is only meant for home users to play games on.
most professionals actually concider windows to be a completely
non-professions os/ui
( win nt, 2k, and xp do still require dos, even though microsoft says
otherwise.)
* check your windows\ system32 dir for ntdos*.sys, there are four
different ones in there
wish I still had the email from alias-wavefront, where one of there
staff told me that the creators of maya 3d modelling animation package
do not concider win to be professional os.
maya is owned by alias-wavefront. :-)
BAO RuiXian wrote:
>Why not, since the directory is protected? Or the protection level is not
high enough?
>
>Bao
>
>"J. Greenlees" wrote:
>
>>no, you don't want it in any directory that a browser will access.
>>only ever put password files outside of web structure directories.
>>
>>BAO RuiXian wrote:
>>
>>>Boyle Owen wrote:
>>>
>>>>(4) You put the password file anywhere you like EXCEPT inside the
docroot
>>>>
>>>>*** I think this might be what was confusing you. You can put the file
anywhere at all - there is no special place for it. However, you have made
one big mistake which is to put it under your docroot (D:/web). This won't
stop it working but it is not very secure since it means a browser can see
it! move it somewhere unbrowseable like D:/pwds.
>>>>
>>>Just for peculiarity, can we put the password file into the protected
directory itself? I think it should also be safe.
>>>
>>>Bao
>>>
>
>--
>BAO RuiXian, PROGRAMMER, Project Consulting Team, Software Services Group
>AtBusiness Communications Corporation, Kaapeliaukio 1, FIN-00180 Helsinki
>Telephone +358-9-2311 6674, Mobile +358-50-329 6275, Fax +358-9-2311 6601
>Web: www.atbusiness.com, Email: {bao.ruixian, ruixian.bao}@atbusiness.com
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Start laughing already - securing files with Apache and
Windowsquestion
Posted by "J. Greenlees" <ja...@shaw.ca>.
well, for starters, it iis a bad practice to leave security data accessable.
then with a win based server, you have security holes being used all the
time by people that hate microsoft. ( outlook express attracts email
viri, iis has, that I have heard of, over 20 security holes in it )
apache is more secure, but the os is not secure, no matter what you do,
so never leave any security related documentation for the server where
people could conceivable access it.
( being polite here, spend to much time repairing computers with
microsoft os to like it, specially when *nix systems don't have the
same problems.)
did you know that windows was written for the sole purpose of playing
games? that is it, it is only meant for home users to play games on.
most professionals actually concider windows to be a completely
non-professions os/ui
( win nt, 2k, and xp do still require dos, even though microsoft says
otherwise.)
* check your windows\ system32 dir for ntdos*.sys, there are four
different ones in there
wish I still had the email from alias-wavefront, where one of there
staff told me that the creators of maya 3d modelling animation package
do not concider win to be professional os.
maya is owned by alias-wavefront. :-)
BAO RuiXian wrote:
>Why not, since the directory is protected? Or the protection level is not high enough?
>
>Bao
>
>"J. Greenlees" wrote:
>
>>no, you don't want it in any directory that a browser will access.
>>only ever put password files outside of web structure directories.
>>
>>BAO RuiXian wrote:
>>
>>>Boyle Owen wrote:
>>>
>>>>(4) You put the password file anywhere you like EXCEPT inside the docroot
>>>>
>>>>*** I think this might be what was confusing you. You can put the file anywhere at all - there is no special place for it. However, you have made one big mistake which is to put it under your docroot (D:/web). This won't stop it working but it is not very secure since it means a browser can see it! move it somewhere unbrowseable like D:/pwds.
>>>>
>>>Just for peculiarity, can we put the password file into the protected directory itself? I think it should also be safe.
>>>
>>>Bao
>>>
>
>--
>BAO RuiXian, PROGRAMMER, Project Consulting Team, Software Services Group
>AtBusiness Communications Corporation, Kaapeliaukio 1, FIN-00180 Helsinki
>Telephone +358-9-2311 6674, Mobile +358-50-329 6275, Fax +358-9-2311 6601
>Web: www.atbusiness.com, Email: {bao.ruixian, ruixian.bao}@atbusiness.com
>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org