On Sat, Sep 28, 2013 at 12:21 PM Tim Bannister <[email protected]> wrote:
>
> On 28 Sep 2013, at 14:19, Eric Covener <[email protected]> wrote:
>
> > I've come back to this because I've struggled in another area with
> > access_checker vs. access_checker_ex. I really think we need basic access
> > control outside of Require and Satisfy.
> >
> > I have a copy of the "Forbidden" directive in mod_authz_core and I am
> > currrently allowing ON/OFF flags.
> >
> > * using a new directive means someone won't casually add "forbidden OFF"
> > when they think they're turnong on more access control with Require
> > * we can document that "forbidden OFF" is extreme from the start.
> >
> > I am on the fence about having an argument at all. My fear is that it will
> > evolve into a misguided FAQ of 'try forbidden OFF if you get a 403' then
> > we're right back to
> >
> > <Files .ht*>
> > Forbidden
> > </Files>
> >
> > ...
> >
> > <Location />
> > ...
> > Require ldap-group cn=foo
> > Forbidden OFF
> > </location>
>
> The second time in a few days, I'm going to suggest adding an optional
> parameter to a directive.
>
> Taking a leaf out of cascading stylesheets, how about “Forbidden On
> Level=Important” and perhaps “Forbidden On Level=Indelible”?
>
> (the idea being that the “Indelible” level can't be removed).
>
>
> This lets distributions ship a fairly safe default configuration but gives
> users enough scope to hang themselves. With this, “forbidden OFF” isn't so
> risky and “Forbidden Off Level=Important” can carry a health warning (and
> perhaps an ErrorLog warning as well).
>
>
> Too complex or worth having? What do people think? If there's appetite for it
> then I will have a go at providing a patch.
Bumping a very old thread. tl;dr people are often surprised that when
Location sections have access control directives and overlap with the
filesystem it undoes the default
<Files ".ht*">
Require all denied
</Files>
What do currently active people think of the original basic "Forbid"
or the one with tags/levels?
