Re: Password security

[Gunnar Hjalmarsson <mailbox@gunnar.cc>]

Maddy,
Thanks for your contributions; it seems to me like you know quite a lot
about these things.
> Using <Limit GET> means a page in that dir cannot be called from
> somewhere on the web -- if the point is to stop people from finding
> out filenames they might then want to look at when they shouldn't,
> this does the trick. 
The reason why I questioned it was this para at
http://www.apache.org/docs/mod/core.html#limit :
"Access controls are normally effective for all access methods, and this
is the usual desired behaviour. In the general case, access control
directives should not be placed within a <limit> section."
> Also, on some servers (depending on version of Apache and sometimes
> other things), it doesn't work without <Limit GET>.
Provided that the use of <Limit GET> doesn't open up some ways to view
the contents of certain files from the web, I guess this is reason
enough to follow your advise. I'd appreciate your confirmation, if you
are able to.
I'm trying to find out the appropriate recommendation to put in the
Ringlink FAQ in this respect. Right now I think those who use Ringlink
on Apache servers should be recommended to put .htaccess files with the
following lines in the 'lib' and 'data' directories:
<Limit GET>
deny from all 
</Limit>
But if they, like Jock described, have put files under the 'data'
directory which they want to remain readable from the web, the .htaccess
file in the 'data' directory could have these lines instead:
<Files *.db>
<Limit GET>
deny from all 
</Limit>
</Files>
Please let me know whether you agree.
/ Gunnar