Am 28.09.2013 18:21, schrieb Tim Bannister: > On 28 Sep 2013, at 14:19, Eric Covener <cove...@gmail.com> wrote: > >> I've come back to this because I've struggled in another area with >> access_checker vs. access_checker_ex. I really think we need basic access >> control outside of Require and Satisfy. >> >> I have a copy of the "Forbidden" directive in mod_authz_core and I am >> currrently allowing ON/OFF flags. >> >> * using a new directive means someone won't casually add "forbidden OFF" >> when they think they're turnong on more access control with Require >> * we can document that "forbidden OFF" is extreme from the start. >> >> I am on the fence about having an argument at all. My fear is that it will >> evolve into a misguided FAQ of 'try forbidden OFF if you get a 403' then >> we're right back to >> >> <Files .ht*> >> Forbidden >> </Files> >> >> ... >> >> <Location /> >> ... >> Require ldap-group cn=foo >> Forbidden OFF >> </location> > > The second time in a few days, I'm going to suggest adding an optional > parameter to a directive. > > Taking a leaf out of cascading stylesheets, how about “Forbidden On > Level=Important” and perhaps “Forbidden On Level=Indelible”? > > (the idea being that the “Indelible” level can't be removed). > > > This lets distributions ship a fairly safe default configuration but gives > users enough scope to hang themselves. With this, “forbidden OFF” isn't so > risky and “Forbidden Off Level=Important” can carry a health warning (and > perhaps an ErrorLog warning as well). > > Too complex or worth having?
too complex and dangerous nobody is able to say what is effective in wathever directory in case of a lot of .conf-files including vhost-snippets which *all* may contain <Directory>-directives now you can say the last one wins and if needed name files with prefixes with your proposal in production environments nobody knows what is state of play because you have distribution-snippets from httpd package *and* web-app-packages too and they may contain any variant even if you say 100 times they most not ship it that way it does not help the enduser which configure settings never get active while thining he overrides no - i want and need to be sure that if i create a zzzzz-my-overrides.conf and include it at the end of httpd.conf it does what i expect
signature.asc
Description: OpenPGP digital signature
