Re: [mod-security-users] mod_security in .htaccess files opinions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_security in .htaccess files opinions?
|
From: Security <sec...@ez...> - 2004-09-27 18:54:11
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I personally have found that anyone who had permission to change mod_securi= ty=20 settings has root level access and change already change the main config fi= le=20 anyway. I also was not aware that it could be changed via .htaccess and=20 would like to see an option in the global config were .htaccess can be=20 disabled/enabled for mod_security changes. =20 Thanks for all your hard work on this module. NH On Monday 27 September 2004 2:34 pm, Ivan Ristic wrote: > I am thinking about removing the ability of mod_security > to have its configuration directives in .htaccess files. I > am even considering doing that in the forthcoming 1.8.5 > release. I haven't made up my mind yet but I'd like to > know what others think about it. For example: > > * Are you configuring mod_security from .htaccess files? > > * Are you aware mod_security can be used from .htaccess > files (AllowOverride AuthConfig is required)? > > * Would you consider giving other (semi-trusted) people > access to mod_security directives? > > Basically I am not convinced people are aware mod_security > directives can be used from .htaccess files and about > potential consequences. (I am to blame for that, of course, > I should have documented that better.) > > On the other hand, I would hate to break backward > compatibility in a minor, bug-fixing release. So the > other option is to have .htaccess configuration directives > off by default in 1.9.x, and introduce a global directive > to enable it explicitly. > > Would someone care to share their views? =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBWGIGPEfiOMhBaIMRAqrqAJ9zEk77tu4X+FY32o/O75mHRgZAVgCeKMPf Kjsqspno3yYHyMKeA2OaZu4=3D =3DdUpP =2D----END PGP SIGNATURE----- |
