cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cosign on a Sub Directory Only
On Tue, 20 Jul 2004, johanna bromberg craig wrote:
> This was originally a security thought, but I'm not sure our reasons
> are valid anymore. I think our original logic was not wanting users to
> turn off/on Cosign if an admin had made it on/off for a whole server,
> but that might be spurious. Other members of the core cosign team feel
> free to speak up and correct me if there was a more pressing issue and
> I've just forgotten it. ;)
I wasn't involved in those discussions, but unless there is a reason
to have a CosignProtected directive, I'd be more comfortable turning
cosign on/off with the AuthType directive. If the server admin doesn't
want users doing this, then they specify "AllowOverride -AuthConfig".
This _does_ mean that the user can't use the "require" directive
in their .htaccess files anymore, though, which is undesirable.
Right now does CosignProtected trump AuthType in all cases? If so,
I guess this would be a valid reason for keeping CosignProtected
around but not usable in .htaccess files.
LS&A Information Technology