Using .htaccess Files with Apache Page 5
As shown above, the
AllowOverride directive takes a
whitespace-separated list of category names as its argument.
By allowing the use of
.htaccess files in user (or
customer or client) directories, you're essentially extending a
bit of your Webmaster privileges to anyone who can edit those
files. So if you choose to do this, you should consider
occasionally performing an audit to make sure the files are
appropriately protected -- and, if you're really ambitious,
that they contain only settings of which you approve.
Because of the very coarse granularity of the possible override
categories, it's quite possible that by granting a user the
aility to override one set of directives you're inadvertently
delegating more power than you anticipate. For instance,
you might want to include a "
directive for user directories so that individuals can use the
AddType directive to label documents with MIME
types that aren't in the server-wide list -- but were you aware
when you did this that you were also giving them access to the
Rewrite* directives as well? Directives are
associated with override categories on a per-module
basis, so tracking down what's permitted by allowing a particular
category of override can be a tedious process.
The ultimate answer to what directives are in which categories is the source code. If you really want to know, examine the source for the following strings:
(See the previous section for a description of what the different override categories mean.)
As you can see, with the exception of the AuthConfig/AUTHCFG keywords, the source keywords are identical to the directive keywords. This is convenient!
.htaccess files, consider the
advantages and disadvanteges. On servers I run myself, with
no users, I tend to use
.htaccess files for
testing and debugging, and when I have a configuration I
like, I move the directives into a
container in the
httpd.conf file and delete the
.htaccess file. For this reason, I have
overrides enabled just about everywhere. This allows me to balance
the convenience of
.htaccess files against
their performance impact.
On some of my servers I have some user accounts for people I know and trust, and in those environments I'm more cautious and don't allow all overrides globally. I do tend to allow whatever overrides my friends need for their own directories, though.
And in some cases I have real 'user' accounts, for people I
do not know as well -- and on those servers
AllowOverride None is the rule. I
.htaccess files in their
private directories, but I carefully audit the possible
effects before granting an override category.