On Tue, 20 Aug 2002 [EMAIL PROTECTED] wrote: > --------------------------------------------------------------- > Scenario 1: Server wants to control which clients access some > protected files. > Topics: Authentication (of all kind), Directory Browsing, > ScriptAlias, .htaccess, ErrorDocument, ...
This first scenario is covered by the authentication/authorization tutorial. Or at least, it is supposed to be. > --------------------------------------------------------------- > Scenario 2: Clients wants to prevent attacker to overhear data > transferred to the server. (May need to be divided > into HTTP and non-HTTP communication sections.) > Topics: Encryption (SSL etc., AuthType Basic, ...). > --------------------------------------------------------------- > Scenario 3: ServerAdmin wants to prevent webspace user to access > privileged ressources. > Topics: CGI auditing, suexec, chroot, userid of httpd, > AllowOverride etc. > --------------------------------------------------------------- > Scenario 4: Webspace user wants to prevent other webspace users > to access his/her files. > Topics: File system permissions, userid of CGI execution, > clever password selection (outguessing FTP access) > --------------------------------------------------------------- These other scenarios are more what I think of when I think of the security document. Perhaps that is incorrect, but I think that was what was in mind when this item was added to the STATUS document many moons ago. It seemed to me, at the time, that Alan Liska was going to take a stab at writing that. I even seem to remember that there was some initial document written. But I have not heard much about it since then. Alan? Are you still there? -- And everyone said, "If we only live, We too will go to sea in a Sieve - To the hills of the Chankly Bore!" (The Jumblies, by Edward Lear) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
