Networking / Beginners

Server Options for Documents and Directories

The httpd.conf file can define server controls for all web documents or for documents in individual directories. The Options directive specifies which server options are permitted for documents. Placing the Options directive inside a Directory container limits the scope of the directive to that specific directory. The Red Hat Linux 7.2 configuration provides the examples shown in Listing below.

Active Directory Containers in Red Hat's httpd.conf File
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
<Directory /usr/share/doc>
    order deny,allow
    deny from all
    allow from localhost .localdomain
    Options Indexes FollowSymLinks
</Directory>

This configuration defines server option controls for five directories: the root (/), /var/www/html, /var/www/icons, /var/www/cgi-bin, and /usr/share/doc directories. The example shows four possible values for the Options directive: FollowSymLinks, Indexes, None, and MultiView. The Options directive has several possible settings:

All Permits the use of all server options.

ExecCGI Permits the execution of CGI scripts from this directory. The ExecCGI option allows CGI scripts to be executed from directories other than the directory pointed to by the ScriptAlias directive. Many administrators set this option for the ScriptAlias directory, but doing so is somewhat redundant. The ScriptAlias directive already specifies that /var/ www/cgi-bin is the script directory. In Listing above, Options is set to None for the /var/ www/cgi-bin directory without undoing the effect of the ScriptAlias directive.

FollowSymLinks Permits the use of symbolic links. If this is allowed, the server treats a symbolic link as if it were a document in the directory.

Includes Permits the use of Server Side Includes (SSI).

IncludesNOEXEC Permits Server Side Includes (SSI) that do not include #exec and #include commands.

Indexes Permits a server-generated listing of the directory if an index.html file is not found.

MultiViews Permits the document language to be negotiated.

None Doesn't permit any server options. This provides the highest level of security.

SymLinksIfOwnerMatch Permits the use of symbolic links if the target file of the link is owned by the same user ID as the link itself.

Use server options with care. The None, Indexes, and MultiView options used in the Red Hat configuration should not cause security problems, although Indexes gives remote users a listing of the directory contents if no index.html file is found and MultiView consumes server resources. FollowSymLinks has the potential for security problems because symbolic links can increase the number of directories in which documents are stored. The more directories, the more difficult the task of securing the directories because all of the directories must have the proper permissions set, and all must be monitored for possible file corruption.

The directory containers in the example above also contain AllowOverride directives. These directives limit the amount of configuration control given to the individual directories.

[Previous] [Contents] [Next]