2019-02-13
An unpleasant surprise with part of Apache's AllowOverride directive
Suppose, not entirely hypothetically, that you have a general directory hierarchy for your web server's document root, and you allow users to own and maintain subdirectories in it. In order to be friendly to users, you configure this hierarchy like the following:
Options SymLinksIfOwnerMatch AllowOverride FileInfo AuthConfig Limit Options Indexes
This allows people to use .htaccess files in their subdirectories
to do things like disable symlinks or enable automatic directory
indexes (which you have turned off here by default in order to avoid
unpleasant accidents, but which is inconvenient if people actually
have a directory of stuff that they just want to expose).
Congratulations, you have just armed a gun pointed at your foot.
Someday you may look at a random person's .htaccess in their
subdirectory and discover:
Options +ExecCGI AddHandler cgi-script .cgi
You see, as the fine documentation
will explicitly tell you, the innocent looking 'AllowOverride
Options' does exactly what it says on the can; it allows .htaccess
files to turn on any Options directive. Some of
these options are harmless, such as 'Options Indexes', while
others of them are probably things that you don't want people turning
on on their own without talking to you first.
(People can also turn on the full 'Options +Includes', which also
allows them to run programs through the '#exec' element, as covered
in mod_include's documentation. For that
matter, you may not want to allow them to turn on even the more modest
IncludesNOEXEC.)
To deal with this, you need to restrict what Options people can
control, something like:
AllowOverride [...] Options=Indexes,[...] [...]
The Options= list is not just the options that people can turn
on, it is also the options that you let them turn off, for example
if they don't want symlinks to work at all in their subdirectory
hierarchy.
(It's kind of a pity that Options is such a grab-bag assortment of
things, but that's history for you.)
As an additional note, changing your 'AllowOverride Options'
settings after the fact may be awkward, because any .htaccess
file with a now-disallowed Options setting will cause the entire
subdirectory hierarchy to become inaccessible. This may bias you
toward very conservative initial settings until people appeal, and
then perhaps narrow exemptions afterward.
(Our web server is generously configured for historical reasons; it has been there for a long time and defaults were much looser in the past, so people made use of them. We would likely have a rather different setup if we were recreating the content and configuration today from scratch.)