Thread: [mod-security-users] mod_security in .htaccess files opinions?
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-users
|
From: Ivan R. <iv...@we...> - 2004-09-27 18:32:49
|
I am thinking about removing the ability of mod_security to have its configuration directives in .htaccess files. I am even considering doing that in the forthcoming 1.8.5 release. I haven't made up my mind yet but I'd like to know what others think about it. For example: * Are you configuring mod_security from .htaccess files? * Are you aware mod_security can be used from .htaccess files (AllowOverride AuthConfig is required)? * Would you consider giving other (semi-trusted) people access to mod_security directives? Basically I am not convinced people are aware mod_security directives can be used from .htaccess files and about potential consequences. (I am to blame for that, of course, I should have documented that better.) On the other hand, I would hate to break backward compatibility in a minor, bug-fixing release. So the other option is to have .htaccess configuration directives off by default in 1.9.x, and introduce a global directive to enable it explicitly. Would someone care to share their views? -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Security <sec...@ez...> - 2004-09-27 18:54:11
|
=2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I personally have found that anyone who had permission to change mod_securi= ty=20 settings has root level access and change already change the main config fi= le=20 anyway. I also was not aware that it could be changed via .htaccess and=20 would like to see an option in the global config were .htaccess can be=20 disabled/enabled for mod_security changes. =20 Thanks for all your hard work on this module. NH On Monday 27 September 2004 2:34 pm, Ivan Ristic wrote: > I am thinking about removing the ability of mod_security > to have its configuration directives in .htaccess files. I > am even considering doing that in the forthcoming 1.8.5 > release. I haven't made up my mind yet but I'd like to > know what others think about it. For example: > > * Are you configuring mod_security from .htaccess files? > > * Are you aware mod_security can be used from .htaccess > files (AllowOverride AuthConfig is required)? > > * Would you consider giving other (semi-trusted) people > access to mod_security directives? > > Basically I am not convinced people are aware mod_security > directives can be used from .htaccess files and about > potential consequences. (I am to blame for that, of course, > I should have documented that better.) > > On the other hand, I would hate to break backward > compatibility in a minor, bug-fixing release. So the > other option is to have .htaccess configuration directives > off by default in 1.9.x, and introduce a global directive > to enable it explicitly. > > Would someone care to share their views? =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBWGIGPEfiOMhBaIMRAqrqAJ9zEk77tu4X+FY32o/O75mHRgZAVgCeKMPf Kjsqspno3yYHyMKeA2OaZu4=3D =3DdUpP =2D----END PGP SIGNATURE----- |
|
From: Ivan R. <iv...@we...> - 2004-09-27 19:44:50
|
> Thanks for all your hard work on this module. You are welcome. You (the recipients of the users' list) may have noticed that I have been a little bit quiet lately. I'd like to let you know that this is because I have been very busy finishing the book. I have approximately one month of work left now. After that I am getting back to mod_security and I have a really large list of things I want to implement in 1.9 and other future releases. I can't wait to start working on it. I may as well use this email to say other things that have been on my mind. As of June this year I am working full time on web security. So far (and for one more month) this meant working on the book, but things will start happening fast very soon now with mod_security and other things (products) I plan to do. This is mostly because I have formed a company (Thinking Stone, see http://www.thinkingstone.com) to finance my own work on web security. It will be interesting to see how that turns out. I have no doubt whatsoever it will be a success, though :) One final thing, which I think it is pretty obvious but I'll state it anyway. The fact that I am now running a company does not and will not change anything about mod_security. The licensing will remain as it has always been. Actually, things will change for the better since I will be bringing new people (employees) on board to help me with the work. -- ModSecurity (http://www.modsecurity.org) [ Open source IDS for Web applications ] |
|
From: Gerwin K. -|- D. W. <ge...@di...> - 2004-09-30 13:37:27
|
Well to be honoust I think it's a job for admins to setup/maintain mod_security. We only configure it in httpd.conf and we think our customers have nothing to do with it. So we don't gonna miss it :) Gerwin Ivan Ristic wrote: >I am thinking about removing the ability of mod_security >to have its configuration directives in .htaccess files. I >am even considering doing that in the forthcoming 1.8.5 >release. I haven't made up my mind yet but I'd like to >know what others think about it. For example: > >* Are you configuring mod_security from .htaccess files? > >* Are you aware mod_security can be used from .htaccess > files (AllowOverride AuthConfig is required)? > >* Would you consider giving other (semi-trusted) people > access to mod_security directives? > >Basically I am not convinced people are aware mod_security >directives can be used from .htaccess files and about >potential consequences. (I am to blame for that, of course, >I should have documented that better.) > >On the other hand, I would hate to break backward >compatibility in a minor, bug-fixing release. So the >other option is to have .htaccess configuration directives >off by default in 1.9.x, and introduce a global directive >to enable it explicitly. > >Would someone care to share their views? > > > |
|
From: <ha...@mm...> - 2004-09-30 13:48:52
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I think its a good thing to be able to configure it in .htaccess files. This comes in handy if you have to disable it for certain apps, e.g. phpMySQL or some documentation system where I e.g. want to document administration steps which contain SQL statements and other such kinda admin tools. Just my 2 cents. Harry - --On Monday, September 27, 2004 19:34:20 +0100 Ivan Ristic <iv...@we...> wrote: > > I am thinking about removing the ability of mod_security > to have its configuration directives in .htaccess files. I > am even considering doing that in the forthcoming 1.8.5 > release. I haven't made up my mind yet but I'd like to > know what others think about it. For example: > > * Are you configuring mod_security from .htaccess files? > > * Are you aware mod_security can be used from .htaccess > files (AllowOverride AuthConfig is required)? > > * Would you consider giving other (semi-trusted) people > access to mod_security directives? > > Basically I am not convinced people are aware mod_security > directives can be used from .htaccess files and about > potential consequences. (I am to blame for that, of course, > I should have documented that better.) > > On the other hand, I would hate to break backward > compatibility in a minor, bug-fixing release. So the > other option is to have .htaccess configuration directives > off by default in 1.9.x, and introduce a global directive > to enable it explicitly. > > Would someone care to share their views? - -- 1024D/40F14012 18F3 736A 4080 303C E61E 2E72 7E05 1F6E 40F1 4012 - -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT/S dx s: a C++ ULS++++$ P+++ L+++$ !E W++ N+ o? K? !w !O !M V PS+ PE Y? PGP+++ t+ 5-- X+ R+ !tv b++ DI++ D+ G e* h r++ y++ - ------END GEEK CODE BLOCK------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBXA6/fgUfbkDxQBIRAnhWAJ9hYOnQR+MqXgmYyv1lw/L5U+PRigCfarBF v0umWcWFEQBDh0HuucO+IOU= =7RXj -----END PGP SIGNATURE----- |
|
From: Chris <chr...@ms...> - 2005-09-17 13:30:49
|
<harry_b <at> mm.st> writes: > > > Hi, > > I think its a good thing to be able to configure it in .htaccess files. > This comes in handy if you have to disable it for certain apps, e.g. > phpMySQL or some documentation system where I e.g. want to document > administration steps which contain SQL statements and other such kinda > admin tools. > > Just my 2 cents. > > Harry > > --On Monday, September 27, 2004 19:34:20 +0100 Ivan Ristic > <ivanr <at> webkreator.com> wrote: Well it should be made so it cant overide, what happens if someone signs up to a webhost that runs mod_security and decides to overide it to help them break into the server, kind of defeats the purpose if a normal user can just disable it. |
|
From: Ivan R. <iv...@we...> - 2005-09-19 11:03:42
|
Chris wrote: > <harry_b <at> mm.st> writes: > > >> >>Hi, >> >>I think its a good thing to be able to configure it in .htaccess files. >>This comes in handy if you have to disable it for certain apps, e.g. >>phpMySQL or some documentation system where I e.g. want to document >>administration steps which contain SQL statements and other such kinda >>admin tools. >> >>Just my 2 cents. >> >>Harry >> >>--On Monday, September 27, 2004 19:34:20 +0100 Ivan Ristic >><ivanr <at> webkreator.com> wrote: > > Well it should be made so it cant overide, what happens if someone signs up to a > webhost that runs mod_security and decides to overide it to help them break into > the server, kind of defeats the purpose if a normal user can just disable it. There is plenty you can do if you are concerned about that kind of thing. Personally I don't think a non-admin should get to use mod_security, mostly because there is a possibility to significantly slow down the web server through misuse. From a security point of view, if someone is in a position to control the .htacces files then he probably already has more privileges than mod_security could give him. Having said that, here are your options: 1. Disable usage of mod_security in .htaccess files altogether (by compiling it with -DDISABLE_HTACCESS_CONFIG) 2. mod_security won't work in .htaccess files unless the user has "AllowOverride Options". 3. In 1.9 it is possible to mark rules as mandatory (either all rules in a context or individual rules via the "mandatory" action) so that they cannot be removed from the child contexts. But this was not meant as a security feature, it was meant only to guard against accidental rule override. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
|
From: Mark <ad...@as...> - 2004-09-30 17:57:09
|
Ivan Ristic wrote:
> I am thinking about removing the ability of mod_security
> to have its configuration directives in .htaccess files. I
> am even considering doing that in the forthcoming 1.8.5
> release. I haven't made up my mind yet but I'd like to
> know what others think about it.
Ditch it. :) Seriously, it has no place in .htaccess (frankly, I am one of
those people who does not like any sort of administrative override in
..htaccess to begin with).
Know, at least, I will shed no tear over its upcoming loss.
> On the other hand, I would hate to break backward
> compatibility in a minor, bug-fixing release. So the
> other option is to have .htaccess configuration directives
> off by default in 1.9.x, and introduce a global directive
> to enable it explicitly.
As long as it can be disabled, it can stay, as far as I am concerned. But my
underlying "approval" is, of course, based on the ability to disable it;
that should tell you enough. :)
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
|
Thanks for helping keep SourceForge clean.
X