----- "PENIN Guillaume (SNCF Voyages/Direction des Operations SI)" <Guillaume.PENIN@xxxxxxx> wrote: > Hi, > > Many of our application teams ask us to mount the Apache DocumentRoot > FileSystem in Read-only mode for security reasons. In your opinion, > does > this have any kind of interest ? Mounting the FS read-only might become inconvinient. But you definately should not allow the webserver user to have write access to the documentroot That is, unless your application requires uploads. Then it should happen in a controlled directory. i.e.: One that doesn't have CGI or anything else executable (Options None, SetHandler none), no .htaccesss allowed (AllowOverride None). > Regards, > > Guillaume PENIN > ------- > Ce message et toutes les piÃces jointes sont Ãtablis à l'intention > exclusive de ses destinataires et sont confidentiels. L'intÃgrità de > ce message n'Ãtant pas assurÃe sur Internet, la SNCF ne peut Ãtre > tenue responsable des altÃrations qui pourraient se produire sur son > contenu. Toute publication, utilisation, reproduction, ou diffusion, > mÃme partielle, non autorisÃe prÃalablement par la SNCF, est > strictement interdite. Si vous n'Ãtes pas le destinataire de ce > message, merci d'en avertir immÃdiatement l'expÃditeur et de le > dÃtruire. > ------- > This message and any attachments are intended solely for the > addressees and are confidential. SNCF may not be held responsible for > their contents whose accuracy and completeness cannot be guaranteed > over the Internet. Unauthorized use, disclosure, distribution, > copying, or any part thereof is strictly prohibited. If you are not > the intended recipient of this message, please notify the sender > immediately and delete it. i -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx