Apache 2.2 - is there way how to allow only Options=Indexes f?

Discussion in 'Tips/Tricks/Mods' started by radim_h, Mar 19, 2009.

  1. radim_h

    radim_h Member HowtoForge Supporter

    Default ISPC setting in /etc/apache2/apache2.confapac for web and users webs is:
    <Directory /var/www/*/web>
    Options +Includes -Indexes
    AllowOverride None
    AllowOverride Indexes AuthConfig Limit FileInfo
    Order allow,deny
    Allow from all
    <Files ~ "^\.ht">
    Deny from all

    Which is good for security, because when set to AllowOverride Options, user can run CGI scripts and much more as described in manual http://httpd.apache.org/docs/2.2/mod/core.html#options

    But it can be very helpfull allow Overwrite Options Indexes + for users in .htacess files as setting browsable directories handy for every customer is really annoying.

    Haven't you guys seens any patch or hack to allow only Options Indexes for users?
    I have seen some hosting companies which says that there is Only Options=Indexes allowed for their users so i'm wondering if they are using some own modifications of apache or how they do it

    Thanks for any hint

    I'm using debian Lenny with latest apache 2.2.9-10+lenny2
  2. falko

    falko Super Moderator Howtoforge Staff

    You can use something like this in the Apache Directives field of a web site:
    <Directory /var/www/web1/web>
      Options Indexes
  3. radim_h

    radim_h Member HowtoForge Supporter

    sorry for bothering, reading Apache manual does the work.
    Allowing all Options is not good, then user can run cgi sripts etc..
    to allow only indexes it has to look this way:

    AllowOverride Indexes AuthConfig Limit FileInfo Options=Indexes

    (i have tried this option before, don't understand why it didnt work, probably problem somewhere between keyboard and chair .o) )

    list of allowed parameters for Options has to be separated by comma

    Last edited: Mar 23, 2009

Share This Page