At 10:48 PM 4/22/2002, you wrote: >Hi Chris, > > > Since they own the directory (and have to, to create files), they can > > remove any .htaccess file root creates. > >Actually: Who owns a directory doesn't affect the file permissions and file >ownerships of anything within the directory. > >How would a user be able to delete the following file? > >rw-r--r-- 1 root root 404 Apr 23 07:17 .htacces > >Owned by root, permissions set to read only for all but user root and group >root. The user can view the file, but that's it. If you put the file in the >/web directory of the virtual site, then the user can't even delete the >directory and recreate it due to the directory permissions. > >Answer: The user *cannot* delete or overwrite this file and that's it. Put in >the proper options and he can't even use .htaccess files in his self created >subdirectories, as the toplevel .htaccess always overrides settings of >.htaccess files in a subdirectory. > >FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there >and with a little tweaking of the existing rules in there the entire problem >is solved with ease.
You know I have changed the above file a few times, and some how the RAQ allways changes it back from a saved file some where. >For instance: You can deny usage of any .htaccess files in all directories >except ithose that you explicitly specify in /etc/httpd/conf/access.conf > >-- > >Mit freundlichen Gr��en / With best regards > >Michael Stauber >[EMAIL PROTECTED] >Unix/Linux Support Engineer > >_______________________________________________ >cobalt-security mailing list >[EMAIL PROTECTED] >http://list.cobalt.com/mailman/listinfo/cobalt-security Paul Jacobs /Senior Network Eng. Yourwebcentral.com "Host ANY website " http://www.yourwebcentral.com mailto:[EMAIL PROTECTED] _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
