Marc Slemko wrote:
>
> On Fri, 24 Apr 1998, Adam Laurie wrote:
>
> > As a slight side-issue, for best security, I would recommend you change
> > this to be in the apache config instead of an external file (if you've
> > only done that for testing, then please feel free to tell me to go teach
> > my grandma... :). Put something like this in your virtual host
> > definition:
>
> I don't really know that that is necessary. There is no inherent security
> problem with using htaccess files as long as you control who they are
> writable by properly and control who can read them.
The two inherent problems are:
1. That it's much easier for the external file to be accidentally
removed, overwritten, etc. than it would be in the config. This is
particularly true when you're dealing with large/complex websites with
multiple developers uploading to the site. I'm not talking about making
it more secure against deliberate attack, but accidental exposure.
2. If you have an external file in the web tree, it can be read by the
remote browser. I have seen this lead to the reading of the password
file because of the exposure of it's precise location, and thence to the
cracking of the site. (It was possible to legitimately obtain temporary
access, then read the file to crack some passwords and get permanent
access).
>
> >
> > <Directory /usr/local/apache/webdocs>
> > AllowOverride none
> > AuthUserFile /usr/local/apache/clientcerts
> > AuthGroupFile /usr/local/apache/clientgroups
> > AuthType Basic
> > AuthName Testing Client Auth
> > <Limit GET>
> > require group joe
> > </Limit>
> > </Directory>
>
> If you care about security, I would suggest you drop the silly "Limit GET"
> so you limit all requests.
Indeed.
cheers,
Adam
--
Adam Laurie Tel: +44 (181) 742 0755
A.L. Digital Ltd. Fax: +44 (181) 742 5995
Voysey House
Barley Mow Passage http://www.aldigital.co.uk
London W4 4GB mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers