Re: [mod-security-users] htaccess gone in 2.x
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] htaccess gone in 2.x
|
From: Ivan R. <iva...@gm...> - 2006-10-25 15:39:16
|
On 10/25/06, Filip Hajny <fi...@jo...> wrote: > Hey folks, > > I understand from the source that the .htaccess scope is finally gone > in the 2.x branch. This presents a problem for us/me and will likely > have to hack it back in. I understand the concerns, but I still think > the ability to control parts of mod_security should be present. Can you clarify why you think that? I have no problem with .htaccess control when it is conscientiously used. It is those that have it enabled and don't know about are worrying me. So we just need to find a safe way to enable it and everyone is going to be happy. At the very worst I can make it a compile-time flag again. What I'd like to do is be a server configuration option (to use it or not) but that's not straightforward and I need to find a way to do it. > I see that there are already two scopes defined in 2.x, > CMD_SCOPE_MAIN and CMD_SCOPE_ANY. Is there any chance we might see a > minor scope added, to let non-privileged users do things like remove > existing rules by ID? And have, for example, SecRuleInheritance, SecRule, SecAction, and SecDefaultAction in that third group? Any other directives that you'd like to see there? > That would still let the system owner declare > critical rules as mandatory right? No, that feature does not exist in 2.x either. I am not really convinced you can have it both ways - have control and allow the end users to have their own configurations. But I am open to discussion. > On a related note, can we expect to see the changelog updated to > reflect the 2.x branch going current? I'll get the changelog back into the distribution as soon I as can. -- Ivan Ristic |