Hi Chris, > Since they own the directory (and have to, to create files), they can > remove any .htaccess file root creates.
Actually: Who owns a directory doesn't affect the file permissions and file ownerships of anything within the directory. How would a user be able to delete the following file? rw-r--r-- 1 root root 404 Apr 23 07:17 .htacces Owned by root, permissions set to read only for all but user root and group root. The user can view the file, but that's it. If you put the file in the /web directory of the virtual site, then the user can't even delete the directory and recreate it due to the directory permissions. Answer: The user *cannot* delete or overwrite this file and that's it. Put in the proper options and he can't even use .htaccess files in his self created subdirectories, as the toplevel .htaccess always overrides settings of .htaccess files in a subdirectory. FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there and with a little tweaking of the existing rules in there the entire problem is solved with ease. For instance: You can deny usage of any .htaccess files in all directories except ithose that you explicitly specify in /etc/httpd/conf/access.conf -- Mit freundlichen Gr��en / With best regards Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
