Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Apache: Users

mod_status, disable server-status for users

  

 
Apache users RSS feed   Index | Next | Previous | View Threaded


hajo.locke at gmx

Mar 5, 2012, 5:32 AM

Post #1 of 4 (251 views)
Permalink
mod_status, disable server-status for users
Hello List,

ist there any possibility to hide server-status page provided by mod-status
for my users?
every user with .htaccess is able to use sethandler and able to view
complete status.
how to disable this?

Thanks,
Hajo


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


uhlar at fantomas

Mar 5, 2012, 6:54 AM

Post #2 of 4 (253 views)
Permalink
Re: mod_status, disable server-status for users [In reply to]
On 05.03.12 14:32, Hajo Locke wrote:
>ist there any possibility to hide server-status page provided by
>mod-status for my users?
>every user with .htaccess is able to use sethandler and able to view
>complete status.

I'm afraid the only way to disable this is to disable mod_status.
I don't know of any other way and I that's why I don't use mod_status.
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


hajo.locke at gmx

Mar 5, 2012, 7:11 AM

Post #3 of 4 (236 views)
Permalink
Re: mod_status, disable server-status for users [In reply to]
hello,

> I'm afraid the only way to disable this is to disable mod_status.
> I don't know of any other way and I that's why I don't use mod_status.

which module you are using? i cant renounce to view a statuspage of my
server.

Thanks,
Hans


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd


mark at catseye

Mar 5, 2012, 7:15 AM

Post #4 of 4 (236 views)
Permalink
Re: mod_status, disable server-status for users [In reply to]
On March 5, 2012 8:32 , "Hajo Locke" <hajo.locke [at] gmx> wrote:
> ist there any possibility to hide server-status page provided by
> mod-status for my users?
> every user with .htaccess is able to use sethandler and able to view
> complete status.
> how to disable this?

Disable mod_status, or turn off .htaccess files, or disable the
"FileInfo" override ("Options -FileInfo"), or don't give any access to
the filesystem to anyone who you don't trust with the power to use
.htaccess files.

The documentation warns about this problem:
https://httpd.apache.org/docs/2.2/mod/mod_status.html says,

> *It should be noted that if |mod_status
> <https://httpd.apache.org/docs/2.4/mod/mod_status.html>| is loaded
> into the server, its handler capability is available in /all/
> configuration files, including /per/-directory files (/e.g./,
> |.htaccess|). This may have security-related ramifications for your site.*


--
Mark Montague
mark [at] catseye


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Apache users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.