Re: [suse-security] Apache on SuSE 7.2 and .htaccess
On Mon, 10 Sep 2001, Ernesto Fries wrote:
chmod a+r .htacces chmod a+r .htpasswd no, this is not the problem :( # ll .htaccess -rw-r--r-- 1 root root 14 Sep 10 12:13 .htaccess
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Hi! Try to set AllowOverride All In the httpd.conf This directive makes the .htaccess being evaluated. If it's set to AllowOverride None The .htaccess is ignored. HTH Chris
On Mon, 10 Sep 2001, Christian Westphal wrote:
Try to set AllowOverride All In the httpd.conf I did <Directory /mydir> AllowOverride All </Directory>
my .htaccess is below /mydir ... it still doesn't work :( -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
There is another AllowOverride in the server-wide configuration. That one also has to be set to All. thank you, now I got it, I set (note the full path) <Directory /usr/local/httpd/htdocs/mydir> AllowOverride All </Directory>
Dear suse-people, I think it is a bad default to ignore .htaccess in the web tree, as it brings more problems, than it may prevent (IMHO). Will this default change in the next SuSE release? thank you Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient. Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/ ----- Original Message ----- From: "Markus Gaugusch" <markus@gaugusch.dhs.org> To: "Christian Westphal" <christian.westphal@insyte.de> Cc: "'SuSE-Security'" <suse-security@suse.com> Sent: Monday, September 10, 2001 5:12 AM Subject: Re: AW: AW: [suse-security] Apache on SuSE 7.2 and .htaccess
There is another AllowOverride in the server-wide configuration. That one also has to be set to All. thank you, now I got it, I set (note the full path) <Directory /usr/local/httpd/htdocs/mydir> AllowOverride All </Directory>
Dear suse-people, I think it is a bad default to ignore .htaccess in the web tree, as it brings more problems, than it may prevent (IMHO). Will this default change in the next SuSE release?
thank you Markus
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient. yes, after a little bit of thinking, this is better. An entry in the SDB would also be cool. I'm no apache expert, but it just makes me crazy, that .htaccess is just ignored for (apparently) no reason. Especially, because the directory really needs protection ...
But now it's fine :) thank you Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
----- Original Message ----- From: "Markus Gaugusch" <markus@gaugusch.dhs.org> To: "Kurt Seifried" <listuser@seifried.org> Cc: "Christian Westphal" <christian.westphal@insyte.de>; "'SuSE-Security'" <suse-security@suse.com> Sent: Monday, September 10, 2001 1:19 PM Subject: Re: AW: AW: [suse-security] Apache on SuSE 7.2 and .htaccess Hello, maybe this solves the problem: http://sdb.suse.de/de/sdb/html/daniel_mod_auth_nds.html regards Eicke Kemm
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient. yes, after a little bit of thinking, this is better. An entry in the SDB would also be cool. I'm no apache expert, but it just makes me crazy, that .htaccess is just ignored for (apparently) no reason. Especially, because the directory really needs protection ...
But now it's fine :)
thank you Markus
-- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
..or not in german: http://sdb.suse.de/en/sdb/html/daniel_mod_auth_nds.html ;-)) Eicke Kemm wrote:
maybe this solves the problem:
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient.
Hm, you will be right... Actually, I don't see real security holes in enabling it by default. Something I missed? Thanks a lot! Chris
It's not holes per se, but it could be unexpected. Many sites do NOT want to grant their users the ability to use .htaccess files (increased overhead for example). Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/ ----- Original Message ----- From: "Christian Westphal" <christian.westphal@insyte.de> To: "'SuSE-Security'" <suse-security@suse.com> Cc: "'Kurt Seifried'" <listuser@seifried.org> Sent: Monday, September 10, 2001 5:24 AM Subject: AW: [suse-security] Apache on SuSE 7.2 and .htaccess
Ermmm... enabling things like authconfig override by default makes for all sorts of potential problems/weirdness. If someone wants to use authconfig and can't be bothered to enable it they probably won't be using it correctly anyways. Sticking in some examples and commenting them out is probably sufficient.
Hm, you will be right...
Actually, I don't see real security holes in enabling it by default. Something I missed?
Thanks a lot!
Chris
Argh. NO. BAD MONKEY! for example: <Directory /> Options None AllowOverride None Order allow,deny Deny from all </Directory> <Directory /var/www/> Options FollowSymLinks AllowOverride Authconfig Order allow,deny Allow from all </Directory> is the kind of selective allowal of things you should be doing. Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/ ----- Original Message ----- From: "Christian Westphal" <christian.westphal@insyte.de> To: "'SuSE-Security'" <suse-security@suse.com> Cc: "'Markus Gaugusch'" <markus@gaugusch.dhs.org> Sent: Monday, September 10, 2001 5:09 AM Subject: AW: AW: [suse-security] Apache on SuSE 7.2 and .htaccess
I did <Directory /mydir> AllowOverride All </Directory>
There is another AllowOverride in the server-wide configuration. That one also has to be set to All.
HTH Chris
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
From my www-auth paper (http://www.seifried.org/security/www-auth/):
Apache supports a wide variety of authentication methods, several of which can be considered "standard" and are typically included in vendor packages of Apache. You can assign security to files and directories with Apache, the configuration for this is either done in the central httpd.conf file or in the defined "AccessFileName". For example to make ".htaccess" files your access file you would add the following to httpd.conf: AccessFileName .htaccess And in order to prevent people from downloading these files you would add the following to your httpd.conf: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> This means that any file starting with ".ht" (i.e. .htaccess, .htpasswd, .htgroup, .htfoobar) will not be sent if a client requests it. You will then need to configure Apache to allow for specific features, using the "AllowOverride" directive within a "<Directory"> configuration section. Typically the safest thing to do is define a "<Directory />" that disables everything and then enable features as needed on a per directory basis. For example to allow .htaccess files in /var/www/secure-area: <Directory /var/www/> AllowOverride AuthConfig Order allow,deny Allow from all </Directory> If your .htaccess file does not work and "AccessFileName" is defined then this is probably the problem. Kurt Seifried, kurt@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/
On Mon, 10 Sep 2001, Markus Gaugusch wrote:
On Mon, 10 Sep 2001, Ernesto Fries wrote:
chmod a+r .htacces chmod a+r .htpasswd no, this is not the problem :( # ll .htaccess -rw-r--r-- 1 root root 14 Sep 10 12:13 .htaccess
how about the httpd.conf file: the directory must have the "AllowOverride AuthConfig" directive AFAIK -- BINGO: broaden horizons --- Engelbert Gruber ----=~ SSG Fintl,Gruber,Lassnig A6140 Telfs Untermarkt 9 Tel. ++43-5262-64727 ----=~
participants (6)
-
Christian Westphal -
Eicke Kemm -
engelbert.gruber@ssg.co.at -
Kurt Seifried -
Markus Gaugusch -
Martin Haas