Once upon a time, Michael Stauber <[EMAIL PROTECTED]> said: > > Since they own the directory (and have to, to create files), they can > > remove any .htaccess file root creates. > > Actually: Who owns a directory doesn't affect the file permissions and file > ownerships of anything within the directory.
Actually, you are wrong. It does affect who can create and remove files in that directory. > How would a user be able to delete the following file? > > rw-r--r-- 1 root root 404 Apr 23 07:17 .htacces If the user is allowed to create and remove files in that directory (which you want them to be able to do, or else they can't upload a web site), they can remove _any_ file in that directory, no matter who owns the file. > Owned by root, permissions set to read only for all but user root and group > root. The user can view the file, but that's it. If you put the file in the > /web directory of the virtual site, then the user can't even delete the > directory and recreate it due to the directory permissions. > > Answer: The user *cannot* delete or overwrite this file and that's it. Put in > the proper options and he can't even use .htaccess files in his self created > subdirectories, as the toplevel .htaccess always overrides settings of > .htaccess files in a subdirectory. Hint: try what you are saying. Create a new site, log in as root and create a .htaccess file, then log in as a site admin and try to delete it. Then come back here and report the results. Also, I don't think what you are saying about .htaccess files in subdirectories is true. The critical directive here is "AllowOveride", and that is not allowed in a .htaccess file (so you can't take away the permission to override things in a .htaccess file). I have had sites where one .htaccess file takes away some access, but one in a subdirectory gives some access back. It is tricky to configure (and keep track of), but it can be done. > FWIW: /etc/httpd/conf/access.conf has lots of interesting comments in there > and with a little tweaking of the existing rules in there the entire problem > is solved with ease. But if you do that, you'll break other things (especially FrontPage). > For instance: You can deny usage of any .htaccess files in all directories > except ithose that you explicitly specify in /etc/httpd/conf/access.conf I don't think so. You can control what is allowed in a .htaccess file on a per-directory basis, but not whether .htaccess files are examined or not. If you want to edit files in /etc/httpd/conf every time you need to change the settings of a site, then why did you buy a RaQ anyway? -- Chris Adams <[EMAIL PROTECTED]> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
