[Previous] [Next] [Index]
[Thread]
Re: Unix links subverting Web security
>Are per-directory .htaccess files really a security risk? The only people who
>can look at these files with a Web browser are people who already have access.
>It's similar to /etc/passwd--the only people who (legitimately) can read
>/etc/passwd are people who already have accounts in /etc/passwd.
>
>What am I missing here?
You might not want your users (potential crackers) to know your elaborate
access scheme and fancy server options, etc. In any case, these are
information your remote users are not supposed to see. Remote accessible
.htaccess is a sign of newbie, which is encouraging for further
exploration. Anyway the common (maybe not, since nobody on this thread
mentioned it yet) trick for ncsa/apache httpd is:
AddType application/x-httpd-cgi .htaccess
Just make sure to chmod 644 .htaccess to make it read-only by httpd,
otherwise the error message might not be very appropriate :)
Enjoy.
__Luke
>>>>Don't forget that remote users can view .htaccess with ease just by asking
>>>>for the URL!
>>>>
>>>> http://your-site/.htaccess
>>>
>>>No, you have 2 different directories for documents (def: htdocs) and
>>>conf (def: conf) - at least with ncsa-httpd and derivates
>>
>>Yes, this is the better way to do it, but a lot of people use the alternate
>>per-directory file method.
>>
>
>--
>Karl Boyken, sys. prog., Dept. of CS, 303A MLH, U. of Iowa, Iowa City, IA 52242
>email: karl-boyken@uiowa.edu WWW: http://www.cs.uiowa.edu/~boyken/
>voice: 319-335-2730 fax: 319-335-3017
>
--
Luke Y. Lu
mailto:ylu@mail.utexas.edu
http://uts.cc.utexas.edu/~lyl/
References: