On Sat, Dec 13, 2008 at 6:41 AM, Eric Covener <[email protected]> wrote: > > It seems like the introductory text in the security tips section is > okay, but the example chosen to illustrate the "normal URL mapping > rules" is unfortunately chosen.(symlink) to illustrate the "default > to no access" directory container. > > -- > Eric Covener
The problems in the section become worse if symlinks have nothing to do with the behavior claimed. AFAIK, without symlinks, there is no "normal URL mapping rule" that lets you escape DocumentRoot. Well, there are Aliases, but those are an explicit inclusion by the webmaster of another file into the directory structure, anyway. Come to think of it, if symlinks have nothing to do with it, then the introductory text is in fact flat out wrong. Apache doesn't have a feature of default access: You have to enable access explicitly with Alias and DocumentRoot commands. And it seems to me that the only case in which <Directory /> Deny from all </Directory> changes anything at all, is when someone Aliases or DocumentRoots a folder, but then forgets to add a <Directory myfolder>Allow from all</Directory> section. But presumably, they wanted it to be seen, so they would have added that directive in short order anyway. Maybe it's a useful Security Tip that you can deny access to a file or directory that's otherwise within your DocumentRoot, with the Deny from all directive. I don't know. But there should never be any reason to put a Deny from all directive on a superfolder of your DocumentRoot. Because presumably either (a) it belongs on the DocumentRoot directly, because you're doing Something Weird, or (b) you'll just invalidate it later with an Allow from all directive on your DocumentRoot. -- Chris --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
