More detailed access control

Two other configuration settings can also be specified on a per directory basis: `` Options'' and `` AllowOverride''.

<Directory /www/htdocs/people/secure>
Options Indexes ExecCGI
AllowOverride Limit AuthConfig
<Limit GET>
</Limit>
allow from all
</Directory>

Options can specify `` None'', `` All'', or a combination of `` Indexes'', `` Includes'', `` IncludesNoExec'', `` FollowSymLinks'', `` SymLinksIfOwnerMatch'' and `` ExecCGI''. The meanings of these are:

Indexes

specifies that if no default index is available for the directory, the server should list the files in the directory. If the directory contains work in progress or files you don't want the user to see until the appropriate time, either add an index file, or don't specify Indexes

Includes

specifies that server side include files are enabled in this directory. Server Side Includes are a method by which the NCSA server parses the HTML document being returned and then includes information from other files, or executes commands to produce data to be included in the document to be returned. Although this is a powerful feature, it can be a security risk in untrusted directories. It is not described in detail here.

IncludesNoExec

allows server side includes, but disables the exec feature. This allows other documents to be included by the server into the document to be returned, but doesn't allow arbitrary shell or CGI scripts to be run. This reduces the security risk of server side includes somewhat.

FollowSymLinks

specifies that symbolic links in this directory can be followed. If this directory is one in which untrusted users can create files, then specifying FollowSymLinks is a security risk.

SymLinksIfOwnerMatch

specifies that symbolic links in this directory can be followed if the target directory has the same owner as the link.

ExecCGI

specifies that execution of CGI scripts is allowed in this directory.

`` AllowOverride'' can be set to `` None'', `` All'', or any combination of `` Options'', `` FileInfo'', `` AuthConfig'', and `` Limit''

It is advisable to keep access control functionality in one place - namely the `` access.conf'' file. However, if you want untrusted users to be able to write their own HTML files, you may also want them to be able to specify access control to their files. Allowing such users access to your `` access.conf'' file is extremely inadvisable, so you can let such users set up their own `` .htaccess'' files. However, allowing untrusted users to override your security setup from their own `` .htaccess'' file is also inadvisable, as, for instance, they could put in symbolic links to otherwise protected parts of the filestore, which could then be followed by the server. If possible, it is advisable to set AllowOverride to None.

Options

specifies that the `` .htaccess'' file can override the Options as specified in `` access.conf''.

FileInfo

specifies that the .htaccess file can use the AddType and AddEncoding directives (as in `` srm.conf'') to add new MIME content types.

AuthConfig

specifies that the .htaccess file can use the AuthName, AuthType, AuthUserFile and AuthGroupFile directives to set user password authorisation.

Limit

specifies that the `` .htaccess'' file can override who can access the directory.

Note that the access.conf file applies to a directory subtree, whereas .htaccess files need not override the whole subtree.