Le mardi 10 juin 2008 à 18:53 +1000, Sven Dowideit a écrit : > I still contend that > > "Allow from 127.0.0.1" > > does _not_ constitute open to anyone on the internet.
Right. But see bellow... > While hard coding > TWikiGuest with a password of guest is not in any sense a good thing, > from what I've noticed of other debian packages (and the fact that this > was the case when I inherited the package) make me feel that its _not_ > an issue that demands everyone to drop everything. Keeping TWikiGuest user with password guest can make sense, as long as its an open wiki where anonymous posts will be flagged as made by TWikiGuest. But in no case should this TWikiGuest user be granted configure access, IMHO (hence de "configuser" in my patch). > > "Satisfy Any" is not a better solution, as it opens configure up to an > even bigger group of users - anyone that has registered on the TWiki. > Please RTFM : http://httpd.apache.org/docs/2.2/mod/core.html#satisfy that explains this kind of situation in sufficient details, I think (or it's me who didn't understand). In the current case it behaves as such : either you're 1) connecting from 127.0.0.1 : the configure is open to you or 2) you're from anywhere else, and then you need to know TWikiGuest's password. Basically, that's open to anyone with the proper script or knowledge ! What you're thinking of is "require valid-user", I think... which is totally different from the "Satisfy Any" here. Now, I suppose that you'll agree that there's a bigger security threat than you initially though ? Hope this helps, -- Olivier BERGER <[EMAIL PROTECTED]> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC Ingénieur Recherche - Dept INF Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
