Re: [suse-security] Apache on SuSE 7.2 and .htaccess
On Mon, 10 Sep 2001, Ernesto Fries wrote:
chmod a+r .htacces chmod a+r .htpasswd no, this is not the problem :( # ll .htaccess -rw-r--r-- 1 root root 14 Sep 10 12:13 .htaccess
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Hi! Try to set AllowOverride All In the httpd.conf This directive makes the .htaccess being evaluated. If it's set to AllowOverride None The .htaccess is ignored. HTH Chris
On Mon, 10 Sep 2001, Christian Westphal wrote:
Try to set AllowOverride All In the httpd.conf I did
AllowOverride All </Directory>
my .htaccess is below /mydir ... it still doesn't work :( -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
There is another AllowOverride in the server-wide configuration. That one also has to be set to All. thank you, now I got it, I set (note the full path)
AllowOverride All </Directory>
Dear suse-people, I think it is a bad default to ignore .htaccess in the web tree, as it brings more problems, than it may prevent (IMHO). Will this default change in the next SuSE release? thank you Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Ermmm... enabling things like authconfig override by default makes for all
sorts of potential problems/weirdness. If someone wants to use authconfig
and can't be bothered to enable it they probably won't be using it correctly
anyways. Sticking in some examples and commenting them out is probably
sufficient.
Kurt Seifried, kurt@seifried.org
PGP Key ID: 0xAD56E574 Fingerprint:
A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/
----- Original Message -----
From: "Markus Gaugusch"
There is another AllowOverride in the server-wide configuration. That one also has to be set to All. thank you, now I got it, I set (note the full path)
AllowOverride All </Directory> Dear suse-people, I think it is a bad default to ignore .htaccess in the web tree, as it brings more problems, than it may prevent (IMHO). Will this default change in the next SuSE release?
thank you Markus
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient. yes, after a little bit of thinking, this is better. An entry in the SDB would also be cool. I'm no apache expert, but it just makes me crazy, that .htaccess is just ignored for (apparently) no reason. Especially, because the directory really needs protection ...
But now it's fine :) thank you Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
----- Original Message -----
From: "Markus Gaugusch"
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient. yes, after a little bit of thinking, this is better. An entry in the SDB would also be cool. I'm no apache expert, but it just makes me crazy, that .htaccess is just ignored for (apparently) no reason. Especially, because the directory really needs protection ...
But now it's fine :)
thank you Markus
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
..or not in german: http://sdb.suse.de/en/sdb/html/daniel_mod_auth_nds.html ;-)) Eicke Kemm wrote:
maybe this solves the problem:
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient.
Hm, you will be right... Actually, I don't see real security holes in enabling it by default. Something I missed? Thanks a lot! Chris
It's not holes per se, but it could be unexpected. Many sites do NOT want to
grant their users the ability to use .htaccess files (increased overhead for
example).
Kurt Seifried, kurt@seifried.org
PGP Key ID: 0xAD56E574 Fingerprint:
A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/
----- Original Message -----
From: "Christian Westphal"
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient.
Hm, you will be right...
Actually, I don't see real security holes in enabling it by default. Something I missed?
Thanks a lot!
Chris
Argh. NO. BAD MONKEY! for example:
<Directory />
Options None
AllowOverride None
Order allow,deny
Deny from all
</Directory>
I did
AllowOverride All </Directory> There is another AllowOverride in the server-wide configuration. That one also has to be set to All.
HTH Chris
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
From my www-auth paper (http://www.seifried.org/security/www-auth/):
Apache supports a wide variety of authentication methods, several of which
can be considered "standard" and are typically included in vendor packages
of Apache. You can assign security to files and directories with Apache, the
configuration for this is either done in the central httpd.conf file or in
the defined "AccessFileName". For example to make ".htaccess" files your
access file you would add the following to httpd.conf:
AccessFileName .htaccess
And in order to prevent people from downloading these files you would add
the following to your httpd.conf:
On Mon, 10 Sep 2001, Markus Gaugusch wrote:
On Mon, 10 Sep 2001, Ernesto Fries wrote:
chmod a+r .htacces chmod a+r .htpasswd no, this is not the problem :( # ll .htaccess -rw-r--r-- 1 root root 14 Sep 10 12:13 .htaccess
how about the httpd.conf file: the directory must have the "AllowOverride AuthConfig" directive AFAIK -- BINGO: broaden horizons --- Engelbert Gruber ----=~ SSG Fintl,Gruber,Lassnig A6140 Telfs Untermarkt 9 Tel. ++43-5262-64727 ----=~
participants (6)
-
Christian Westphal -
Eicke Kemm -
engelbert.gruber@ssg.co.at -
Kurt Seifried -
Markus Gaugusch -
Martin Haas