Next: Where to configure
Up: The Access Configuration
Previous: Restricting Users
Two other configuration settings can also be specified on a per
directory basis: `` Options'' and `` AllowOverride''.
<Directory /www/htdocs/people/secure>
Options Indexes ExecCGI
AllowOverride Limit AuthConfig
<Limit GET>
</Limit>
allow from all
</Directory>
Options can specify `` None'', `` All'', or a combination of `` Indexes'',
`` Includes'', `` IncludesNoExec'', `` FollowSymLinks'', `` SymLinksIfOwnerMatch'' and `` ExecCGI''. The meanings of these are:
- Indexes
- specifies that if no default index is available for the directory, the server should list the files in the directory. If the directory contains work in progress or files you don't want the user to see until the appropriate time, either add an index file, or don't specify Indexes
- Includes
- specifies that server side include files are
enabled in this directory. Server Side Includes are a method by which
the NCSA server parses the HTML document being returned and then
includes information from other files, or executes commands to produce
data to be included in the document to be returned. Although this is a
powerful feature, it can be a security risk in untrusted directories.
It is not described in detail here.
- IncludesNoExec
- allows server side includes, but disables
the exec feature. This allows other documents to be included by the
server into the document to be returned, but doesn't allow arbitrary
shell or CGI scripts to be run. This reduces the security risk of
server side includes somewhat.
- FollowSymLinks
- specifies that symbolic links in this directory can be followed. If this directory is one in which untrusted users can create files, then specifying FollowSymLinks is a security risk.
- SymLinksIfOwnerMatch
- specifies that symbolic links in this directory can be followed if the target directory has the same owner as the link.
- ExecCGI
- specifies that execution of CGI scripts is allowed in this directory.
`` AllowOverride'' can be set to `` None'', `` All'', or
any combination of `` Options'', `` FileInfo'', ``
AuthConfig'', and `` Limit''
It is advisable to keep access
control functionality in one place - namely the `` access.conf''
file. However, if you want untrusted users to be able to write their
own HTML files, you may also want them to be able to specify access
control to their files. Allowing such users access to your ``
access.conf'' file is extremely inadvisable, so you can let such
users set up their own `` .htaccess'' files. However, allowing
untrusted users to override your security setup from their own ``
.htaccess'' file is also inadvisable, as, for instance, they could
put in symbolic links to otherwise protected parts of the filestore,
which could then be followed by the server. If possible, it is
advisable to set AllowOverride to None.
- Options
- specifies that the `` .htaccess'' file can
override the Options as specified in `` access.conf''.
- FileInfo
- specifies that the .htaccess file can use the AddType and
AddEncoding directives (as in `` srm.conf'') to add new MIME content types.
- AuthConfig
- specifies that the .htaccess file can use the
AuthName, AuthType, AuthUserFile and AuthGroupFile
directives to set user password authorisation.
- Limit
- specifies that the `` .htaccess'' file can
override who can access the directory.
If no AllowOverride directive is given for a directory or any of its parents, HTTPD assumes AllowOverride All.
Note that the access.conf file applies to a directory subtree, whereas .htaccess files need not override the whole subtree.
Next: Where to configure
Up: The Access Configuration
Previous: Restricting Users
Jon Crowcroft
Wed May 10 11:46:29 BST 1995