httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Johnson <john...@nmr.mgh.harvard.edu>
Subject [users@httpd] Configuration access restriction to public_html.
Date Wed, 03 Aug 2005 15:25:32 GMT
     Hey all,

     We need to prevent users with URLs of the ~<user> variety from
doing PHP or other things which execute arbirtary code.  But (there's
always a but), at the same time we need to allow it for URLs not of
that type, i.e. all other references.  There's the following snippet
from httpd.conf which we modified a tad

#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/homes/*/*/public_html">
#    AllowOverride FileInfo AuthConfig Limit
    AllowOverride AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
       Deny from all
    </LimitExcept>
</Directory>

The object is to prevent an AddType in a user's .htaccess from
allowing said user from doing PHP or whatever.  

     The goods news it seems to work.  Now, I've lost track of the number
of times I've read the on-line run time configuation directives
documentation, including Limit and LimitExcept.  I've used them for
years.  I'm a little annoyed at find the above a bit convoluted.  As I
understood it, the GET, POST, OPTIONS and PROPFIND methods were
already, by default, allowed.

     So first question.  Is that first Limit section necessary?

     Second question.  What is it aboruit that second section, i.e. the
LimitExcept, that dissallows PHP?

     And last.  Is there another/better way to do this?

     Thank you.

-------------------------------------------------------------------------------
Chris Johnson               |Internet: johnson@nmr.mgh.harvard.edu
Systems Administrator       |Web:      http://www.nmr.mgh.harvard.edu/~johnson
NMR Center                  |Voice:    617.726.0949
Mass. General Hospital      |FAX:      617.726.7422
149 (2301) 13th Street      |I'm continually amazed by mankind's seemingly
Charlestown, MA., 02129 USA |infinite capacity for stupidity.    Me
-------------------------------------------------------------------------------


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message