You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Corteciano <ja...@linux-source.org> on 2010/07/08 08:28:46 UTC
[users@httpd] AllowOverride: Pros and Cons
Hi All,
I would like to hear your idea's of what are the pros and cons if I will set
a specific directive-type for AllowOverride like AuthConfig,
FileInfo,Indexes, Limit, and Options?
I am just concern about security matters that will produce if I will give
the user full access on .htaccess (AllowOverride All) on their webroot?
Thanks.
James
Re: [users@httpd] AllowOverride: Pros and Cons
Posted by James Corteciano <ja...@linux-source.org>.
Hi Scott,
That helps. Thanks.
James
On Thu, Jul 8, 2010 at 2:40 PM, Scott Gifford <sg...@suspectclass.com>wrote:
> On Thu, Jul 8, 2010 at 2:28 AM, James Corteciano <ja...@linux-source.org>wrote:
> [ ... ]
>
>> I am just concern about security matters that will produce if I will give
>> the user full access on .htaccess (AllowOverride All) on their webroot?
>>
>
> AllowOverride All effectively allows a user who can create a .htaccess file
> to access any file the Web server can read, and execute any code they would
> like to as the Web server user. From a security perspective it's equivalent
> to giving the user a shell as the Web server user. That may or may not be
> consistent with your security objectives.
>
> Hope this helps!
>
> -----Scott.
>
>
Re: [users@httpd] AllowOverride: Pros and Cons
Posted by Scott Gifford <sg...@suspectclass.com>.
On Thu, Jul 8, 2010 at 2:28 AM, James Corteciano <ja...@linux-source.org>wrote:
[ ... ]
> I am just concern about security matters that will produce if I will give
> the user full access on .htaccess (AllowOverride All) on their webroot?
>
AllowOverride All effectively allows a user who can create a .htaccess file
to access any file the Web server can read, and execute any code they would
like to as the Web server user. From a security perspective it's equivalent
to giving the user a shell as the Web server user. That may or may not be
consistent with your security objectives.
Hope this helps!
-----Scott.
Re: [users@httpd] AllowOverride: Pros and Cons
Posted by Sheryl <gu...@his.com>.
Hi Sheryl,
>
> Thanks for your reply.
>
> I'm not sure how can I give users a better solution as they need .htaccess
> files on their webroot.
Sorry about the delay in replying. I didn't have time to read the list
last week.
As I think I said, it all depends upon the circumstances. If you're doing
web hosting for a few thousand users who are independent of each other,
I'm not sure what you could do better either because I haven't tried to
work out anything for that situation except .htaccess (that was in a
university setting so we were pretty open).
If, however, you've got a few developers working toward eventual
deployment of a corporate site to production, you should be able to
tighten controls and eliminate .htaccess files while moving from
development to QA and then production.
Hard to say much more without knowing more about your environment, and
even then I might not have that much to add if I haven't worked on a
solution for an environment similar to yours before.
Regards,
Sheryl
>
> Regards,
> James
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AllowOverride: Pros and Cons
Posted by James Corteciano <ja...@linux-source.org>.
Hi Sheryl,
Thanks for your reply.
I'm not sure how can I give users a better solution as they need .htaccess
files on their webroot.
Regards,
James
On Thu, Jul 8, 2010 at 11:42 PM, Sheryl <gu...@his.com> wrote:
> > Hi All,
> >
> > I would like to hear your idea's of what are the pros and cons if I will
> > set
> > a specific directive-type for AllowOverride like AuthConfig,
> > FileInfo,Indexes, Limit, and Options?
>
> Most security guidelines say no to Indexes. It's tolerable to do allow
> overrides an most things for a development box for developer convenience,
> but by the time a site gets to production (particularly outside-facing)
> pretty much anything worked out in .htaccess should be rolled into the
> httpd.conf.
>
> > I am just concern about security matters that will produce if I will give
> > the user full access on .htaccess (AllowOverride All) on their webroot?
>
> I would resist, or at minimum get support for not allowing it in QA and
> production. Something you can use for support is the CISecurity Apache
> Benchmark. It's downloadable for free from cisecurity.org. I just took a
> quick look and they recommend "AllowOverride None".
>
> Sheryl
>
> >
> > Thanks.
> > James
> >
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] AllowOverride: Pros and Cons
Posted by Sheryl <gu...@his.com>.
> Hi All,
>
> I would like to hear your idea's of what are the pros and cons if I will
> set
> a specific directive-type for AllowOverride like AuthConfig,
> FileInfo,Indexes, Limit, and Options?
Most security guidelines say no to Indexes. It's tolerable to do allow
overrides an most things for a development box for developer convenience,
but by the time a site gets to production (particularly outside-facing)
pretty much anything worked out in .htaccess should be rolled into the
httpd.conf.
> I am just concern about security matters that will produce if I will give
> the user full access on .htaccess (AllowOverride All) on their webroot?
I would resist, or at minimum get support for not allowing it in QA and
production. Something you can use for support is the CISecurity Apache
Benchmark. It's downloadable for free from cisecurity.org. I just took a
quick look and they recommend "AllowOverride None".
Sheryl
>
> Thanks.
> James
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org