Re: Password security

[Maddy <maddy@beinary.org>]

Gunnar Hjalmarsson wrote:
> 
> Maddy,
> 
> Thanks for your contributions; it seems to me like you know quite
> a lot about these things.
Only what I've found out on the fly in the course of maintaining one
domain or another.
>> Using <Limit GET> means a page in that dir cannot be called from
>> somewhere on the web -- if the point is to stop people from finding
>> out filenames they might then want to look at when they shouldn't,
>> this does the trick.
> 
> The reason why I questioned it was this para at
> http://www.apache.org/docs/mod/core.html#limit :
> 
> "Access controls are normally effective for all access methods,
> and this is the usual desired behaviour. In the general case,
> access control directives should not be placed within a <limit>
> section."
Hum, yeah.
Okay, I brought it up because servers vary. I've used variations of
.htaccess to limit what people can view, pull remotely, etc, and it
seems to depend on the server whether or not it will work. On one server
I was assured by the rep that .htaccess "is either on or off" and he
said it was definitely on because they used it for password-protecting.
Much frustration (on my part) later, the rep had to sheepishly call the
Linux tech and ask why it wasn't working. Well, some servers require
<Limit ..> to be used, some require they *aren't* used. This was one
that expected them not to be there. This is however the exception to the
rule in my experience: five other domains I've managed or co-managed
have been on servers that require the use of <Limit GET> for the deny
thing to work. I've seen posts on dev-l about it and almost everyone
there who explains how to use it explains it *with* the <Limit ..> in
there.
> <Files *.db>
> <Limit GET>
> deny from all
> </Limit>
> </Files>
This is more sophisticated (for the average user) but it does what you
want. I can ask my geek buddies for more detail if you want full
technical blarb. ;)
Regards,
Maddy