Re: [STATUS] (apache-1.3) long pathnames with many components

Wed, 20 Nov 2002 22:06:01 -0800 

On Wed, Nov 20, 2002 at 11:45:11PM -0500, Rodent of Unusual Size wrote:
> APACHE 1.3 STATUS:                                            -*-text-*-
>   Last modified at [$Date: 2002/10/31 05:57:52 $]
[...]
> RELEASE NON-SHOWSTOPPERS BUT WOULD BE REAL NICE TO WRAP THESE UP:
> 
[...]
>     * long pathnames with many components and no AllowOverride None
>       Workaround is to define <Directory /> with AllowOverride None,
>       which is something all sites should do in any case.
>       Status: Marc was looking at it.  (Will asks 'wasn't this patched?')
[...]

Is this a code problem or can the documentation be augmented instead?

<DirectoryMatch> uses full regexes, but can't be used to enable or
disable AllowOverride (.htaccess) since it is processed _after_
.htaccess files are processed.

But <Directory> has *, ?, and character class [] wildcards which
can be employed just as well in most cases.  An example:

In my configuration, all public web-related files are nested in
  vhosts:   /pub/u/s/username/vhost.dom/
  userdirs: /pub/u/s/username/homepage/
(Usernames on this system must be at least two chars long
 and must start with two lowercase alphas.  Additionally, since
 users do not have write privileges to the /pub/u/s/username/
 directory, the following also limits the use of the expensive
 SymlinksIfOwnerMatch to all user-controlled files.)

<Directory />
    Options FollowSymLinks
    AllowOverride None
    deny from all
</Directory>
<Directory /pub/[a-z]/[a-z]/*/*>
    Options SymLinksIfOwnerMatch Indexes IncludesNoExec
    AllowOverride FileInfo AuthConfig Limit Indexes
    allow from all
</Directory>


Another solution is to have a <Directory> block within each vhost that
allows access to the DocumentRoot of the vhost.  And one for userdirs.

<Directory />
    Options FollowSymLinks
    AllowOverride None
    deny from all
</Directory>
## (for each vhost)
<VirtualHost *>
    # ...
    DocumentRoot /my/document/root
    <Directory /my/document/root>
        Options FollowSymLinks Indexes IncludesNoExec
        AllowOverride FileInfo AuthConfig Limit Indexes
        allow from all
    </Directory>
</VirtualHost>
<Directory /home/*/public_html>
    Options FollowSymLinks Indexes IncludesNoExec
    AllowOverride FileInfo AuthConfig Limit Indexes
    allow from all
</Directory>


And now a question about the code: why bother checking for .htaccess files
outside of valid DocumentRoots (or UserDirs)?  If you need to set directives
above the document root, create a <Directory> block in httpd.conf.

Also for Apache 3.0, can AllowOverride None be the default?
It is a more secure default, besides providing better performance.

Cheers,
Glenn

Reply via email to