DAV access control

DAV access control

am 10.11.2009 16:00:47 von skrishnamur1

--_000_D0F59897FCC3D24F9A1C0106EF15EB780336D348C3NY2581corpb lo_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi,

We are looking to setup SVN over apache, but it requires the use of DAV. Th=
ere are apparently security concerns over the use of DAV over apache 2.2., =
in the sense that it would allow users to anonymously write content to apac=
he, even outside of the context of SVN. Are there any workarounds to secure=
ly enable DAV and disallow anonymous writes etc... Pointers to relevant lit=
erature would be appreciated.

Thanks

--_000_D0F59897FCC3D24F9A1C0106EF15EB780336D348C3NY2581corpb lo_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">


>









Hi,



 



We are looking to setup SVN over apache, but it requir=
es the
use of DAV. There are apparently security concerns over the use of DAV over
apache 2.2., in the sense that it would allow users to anonymously write co=
ntent
to apache, even outside of the context of SVN. Are there any workarounds to
securely enable DAV and disallow anonymous writes etc… Pointers to
relevant literature would be appreciated.



 



Thanks









--_000_D0F59897FCC3D24F9A1C0106EF15EB780336D348C3NY2581corpb lo_--

Re: DAV access control

am 10.11.2009 16:43:37 von LuKreme

On 10-Nov-2009, at 08:00, skrishnamur1@bloomberg.com wrote:

> We are looking to setup SVN over apache, but it requires the use of =
DAV.

requires? I though SVN over DAV was a particular configuration option?

> There are apparently security concerns over the use of DAV over apache =
2.2.,

There are?

> in the sense that it would allow users to anonymously write content to =
apache, even outside of the context of SVN.

Erâ€=A6 no, I don't think so.


--=20
NEXT TIME IT COULD BE ME ON THE SCAFFOLDING
Bart chalkboard Ep. 2F12


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

AllowOverride

am 10.11.2009 17:04:25 von Pruniaux ghislain

Hi,
Some users on my apache server need to use RewriteEngine in there directory.
They use .htaccess, but they say that does not work.
I think i must change AllowOverride for their directory (default is
none) , but i could not find the AllowOverride directive for the
RewriteEngine (AuthConfig,FileInfo,Indexes,Limit,Options etc ..)

Thanks



On 11/10/2009 04:00 PM, skrishnamur1@bloomberg.com wrote:
> Hi,
>
> We are looking to setup SVN over apache, but it requires the use of DAV.
> There are apparently security concerns over the use of DAV over apache
> 2.2., in the sense that it would allow users to anonymously write
> content to apache, even outside of the context of SVN. Are there any
> workarounds to securely enable DAV and disallow anonymous writes etc…
> Pointers to relevant literature would be appreciated.
>
> Thanks
>


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AllowOverride

am 10.11.2009 17:13:12 von Eric Covener

On Tue, Nov 10, 2009 at 11:04 AM, Pruniaux Ghislain
wrote:
> Hi,
> Some users on my apache server need to use RewriteEngine in there directo=
ry.
> They use .htaccess, but they say that does not work.
> I think i must change AllowOverride for their directory (default is none)=
,
> but i could not find the =A0AllowOverride directive for the RewriteEngine
> (AuthConfig,FileInfo,Indexes,Limit,Options etc ..)

Each directive lists the 'AllowOverride' that pertains to it:

http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewrit erule
RewriteRule Directive
Description: Defines rules for the rewriting engine
Syntax: RewriteRule Pattern Substitution [flags]
Context: server config, virtual host, directory, .htaccess
Override: FileInfo
^^^^^
--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: DAV access control

am 10.11.2009 17:20:56 von aw

skrishnamur1@bloomberg.com wrote:
> Hi,
>
> We are looking to setup SVN over apache, but it requires the use of DAV. There are apparently security concerns over the use of DAV over apache 2.2., in the sense that it would allow users to anonymously write content to apache, even outside of the context of SVN. Are there any workarounds to securely enable DAV and disallow anonymous writes etc... Pointers to relevant literature would be appreciated.
>
There is nothing to stop you securing a handled by DAV, just
like you would secure any other section of your webspace.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AllowOverride

am 10.11.2009 19:48:24 von Pruniaux ghislain

Next time i will open my eyes

Thanks a lot


On 11/10/2009 05:13 PM, Eric Covener wrote:
> On Tue, Nov 10, 2009 at 11:04 AM, Pruniaux Ghislain
> wrote:
>> Hi,
>> Some users on my apache server need to use RewriteEngine in there directory.
>> They use .htaccess, but they say that does not work.
>> I think i must change AllowOverride for their directory (default is none) ,
>> but i could not find the AllowOverride directive for the RewriteEngine
>> (AuthConfig,FileInfo,Indexes,Limit,Options etc ..)
>
> Each directive lists the 'AllowOverride' that pertains to it:
>
> http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewrit erule
> RewriteRule Directive
> Description: Defines rules for the rewriting engine
> Syntax: RewriteRule Pattern Substitution [flags]
> Context: server config, virtual host, directory, .htaccess
> Override: FileInfo
> ^^^^^


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org