Re: Security issue when defining wrong location directive in Apache

From: Phil Endecott <spam_from_subversion_users_at_chezphil.org>
Date: 2006-01-17 01:32:43 CET

Sander wrote:

> I had some repositories under my https-root ..
>
> My Apache conf was:

I assume DocumentRoot /var/www

> <Location /svn>
> DAV svn
> SVNParentPath /var/www/domainname/httpsdocs/projects
>
> AuthType Basic
> AuthName "Subversion Repository Access"
> AuthUserFile /var/www/domainname/private/.xsinfo
>
> </Location>
>
> This looks quite ok doesnt it ?

No it doesn't look OK. You have put your AuthUserFile inside your
DocumentRoot. This is at best bad practice and at worst a huge security
hole; see http://httpd.apache.org/docs/2.0/mod/mod_auth.html and look at
the "Security" box under "AuthUserFile".

Your issue with your subversion repository is essentially the same.

Don't put things under your DocumentRoot unless you want to serve them.

--Phil.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jan 17 01:42:59 2006

This message: [ Message body ]
Next message: Sander: "Re: Security issue when defining wrong location directive in Apache"
Previous message: Ryan Schmidt: "Re: Security issue when defining wrong location directive in Apache"
In reply to: Sander: "Security issue when defining wrong location directive in Apache"
Next in thread: Sander: "Re: Security issue when defining wrong location directive in Apache"
Reply: Sander: "Re: Security issue when defining wrong location directive in Apache"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]