Hi Joshua,
>> In the TODO file better organization / more content is wanted for the
>> security documentation and since i now (finally) got some time left
>> over this weekend i thought i would update the doc with more info.
>>
>> any ideas/recommendations of what to write about?
> Personally, I'm stumped about what to do with that doc, or I would
> have taken a stab at it myself.
> The problem is that "security" means so many things (authentication/
> authorization/access control/ssl/tls/filesystem permissions/properly
> audited cgi/ssi/etc/etc/etc).
> Perhaps the best we can do is have a listing of some "best practices"
> that we recommend to users.
given this list, I make a weak attempt to classify these cases
so that they might be handled in separate chapters.
To do so, I am trying to write "scenarios" about who is trying
to protect what against whom:
---------------------------------------------------------------
Scenario 1: Server wants to control which clients access some
protected files.
Topics: Authentication (of all kind), Directory Browsing,
ScriptAlias, .htaccess, ErrorDocument, ...
---------------------------------------------------------------
Scenario 2: Clients wants to prevent attacker to overhear data
transferred to the server. (May need to be divided
into HTTP and non-HTTP communication sections.)
Topics: Encryption (SSL etc., AuthType Basic, ...).
---------------------------------------------------------------
Scenario 3: ServerAdmin wants to prevent webspace user to access
privileged ressources.
Topics: CGI auditing, suexec, chroot, userid of httpd,
AllowOverride etc.
---------------------------------------------------------------
Scenario 4: Webspace user wants to prevent other webspace users
to access his/her files.
Topics: File system permissions, userid of CGI execution,
clever password selection (outguessing FTP access)
---------------------------------------------------------------
None of this may be complete, I only want to suggest is as a
method of categorizing.
Of course these categories may not even be fully disjoint
(especially Scenario 3 and 4 may well overlap each other).
Regards, Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
