On Wed, 25 Jun 2003, Glenn wrote: > On Tue, Jun 24, 2003 at 08:08:22PM -0400, Joshua Slive wrote: > > > - Changes defaults to disallow access to files unless explicitly allowed. > > > > Although this is, in general, a good idea, I think it would cause many > > people to be confused. I don't think it is a good idea to change it this > > late in the 1.3 series (even if it is only the default config file). > > The default document root and example for homedirs both already contain > order allow,deny > allow from all > Anyone copying those examples would copy the "allow from all", too.
The problem is people using Aliases (or whatever) to access other parts of the filesystem. As I said, I think the change is good, but it is a little too big to shove into 1.3, which we are trying to keep very stable. > > > - On unix httpd-conf-dist, does not allow Emacs autosave or temporary files > > > to be served (along with not allowing .ht* files). Emacs keeps the same > > I'm fine with the example, but I don't like enabling that by default. It > > will cause too much confusion for too little gain. (It is an ugly-looking > > regex and will inevitably hit some people who don't expect it.) > > Should it be changed to <FilesMatch>? Yes. > I think it prudent to have it. As an example: if you edit your PHP file > in Emacs, then someone can download the code of the backup file in I'm sure it is prudent in that circumstance. (It is even more prudent not to edit your files on the live site.) My concern is two-fold: 1. To the average user, it will look like a bunch of undecipherable goblediegook. That's bad to start with. But it is even worse because there are certainly some people who DO want to serve files ending in .bak, .old, etc. They will get a message "file denied by server configuration", and will need to go line-by-line through the config file to figure out what went wrong. 2. There are many other types of files that probably shouldn't be served. Are we going to keep adding to this list? Aren't we providing a false sense of security by hitting only a few? Only the local administrator knows the appropriate list for his/her site. So an example is good, but a enabled restriction is not. > Rather than rehashing the thread about default config files, how about > httpd.conf-compat? Or a comment at the top of httpd.conf-dist that says > "These defaults are aimed at compatibility with previous releases. > Look for commented sections with more secure, recommended defaults."? I don't think that statement is true. The default config is a balance between most-secure, most-functional, and least-likely-to-surprise. It's simply my opinion that two of your changes don't make the appropriate balance. Joshua.
