Topic: Why are .htaccess files disabled?

[Len]

Hi there.

I've recently found out the E-smith disables .htaccess site protection features in Apache.  I saw elsewhere on this board that there was a security reason for it.  

My question is, what is the security risk?  I'm using an E-smith box as a simple home server, so I'm curious to know if it's a risk that I can live with.

Thanks a bunch.

Len

[John McGreyr]

Sure.  You have to modify the httpd.conf file.  Specifically, the line dealing with AuthConfig.

This category is intended to be used to control directives that have to do with Web page security, such as the AuthName, Satisfy, and Require directives. This is the most common category to allow to be overridden, as it allows users to protect their own documents.

All
This is a shorthand way of listing all of the categories; the two statements below are equivalent:
    AllowOverride AuthConfig FileInfo Indexes Limits Options
    AllowOverride All
   
See http://apache-server.com/tutorials/ATusing-htaccess.html

That will do it.  It's not a good idea to "AllowOverride All".