You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rob Hartill <ha...@lanl.gov> on 1996/06/25 23:09:43 UTC

[Fwd: Apache (?and others) access control gotcha]

I've just stumbled across a security gotcha in Apache 1.03, which I
suspect probably affects other NCSA derived Web servers.

Briefly, the security policy established in the 

<Directory /server/root/directory>
	...
</Directory>

section of access_conf does *not* control security over individual
user's public html spaces, and neither does any section

<Directory /home/username/public_html>
	...
</Directory>

In other words, as far as I can see you can't control access to
individual user's public html spaces from the global access_conf file
(you can of course control it with .htaccess files in their space).

This isn't precisely a bug, but it's an undocumented feature which I
find counter-intuitive. You may wish to check whether users' space on
your server is as secure as you expect it to be (directory indexes,
for example?).

-- 
------- simon@galloway.co.uk (Simon Brooke) http://www.galloway.co.uk/~simon
Ye hypocrites! are these your pranks? To murder men and give God thanks?
Desist, for shame! Proceed no further: God won't accept your thanks for murther
			-- Roburt Burns, 'Thanksgiving For a National Victory'

Re: [Fwd: Apache (?and others) access control gotcha]

Posted by Alexei Kosut <ak...@organic.com>.

On Tue, 25 Jun 1996, Rob Hartill wrote:

> In other words, as far as I can see you can't control access to
> individual user's public html spaces from the global access_conf file
> (you can of course control it with .htaccess files in their space).

Baloney. You can, and I have. My bet is he's screwed something up.
Sometimes Unix systems are set up with different ways to access a home
directory (/home, /users, whatever), and the one listed in <Directory>
needs to be, of course, the one Apache thinks its using; if you put
<Directory /home/akosut> and Apache has translated ~akosut to
/users/akosut, that section doesn't mean a thing.

*shrug*

-- Alexei Kosut <ak...@organic.com>            The Apache HTTP Server 
   http://www.nueva.pvt.k12.ca.us/~akosut/      http://www.apache.org/