[Boa-devel] patch against boa-0.94.14rc16: more detailed access control
Brought to you by:
jnelson
From: tok <ok...@ma...> - 2003-05-07 04:14:20
|
hi all, let me start by thanking all boa devs for their work. though i was unhappy with the level of access control, so here is a patch to allow something like this in a boa.conf: Deny /var/www/cgi-bin/shutdown.cgi Allow /var/www/cgi-bin/shutdown.cgi 192.168.1.0/24 Allow /var/www/cgi-bin/shutdown.cgi 127.0.0.1 Deny phpmyadmin/* Allow phpmyadmin/* 192.168.1.0/24 Allow phpmyadmin/* 127.0.0.1 Deny local/* Allow local/* 192.168.1.0/24 Allow local/* 127.0.0.1 the first line of each block looks like the old way, but for now all non-absolute pathes are prefixed with document root while reading the config. this imo allows much cleaner config files, but requires some more thought to work with vhost. i am not entirely happy with this, but haven't found a better idea. furthermore i'm not sure if "fnmatch" is a good way to do the check, as i don't see how wildcards like "*.pm" w/o any specific (script) dir could ever work. the optional second param may be single ip or range in above format. after rewriting my first try (which seemed are more elegant implementation but segfaulted most of the time) and tweaking it a bit after some more thought: it does not seem to kill boa on instant, it does seem to do something like i want it to, it could use a better way of specifying the path/regexp. in the end, i wouldn't trust sensitive data to this code (so far). i would appreciate feedback if anyone finds use for this. this might be a little of your goals with boa, but now can replace apache and lighten the load of my old box ;-) thanks again, tok |