[users@httpd] Why sub-requests for /?

[Bill Moseley <mo...@hank.org>]

Apache 2.0.54-4 on Debian Sid.

I have a setup with the document root with no access, but then I allow
access to individual subdirectories (normally via basic auth).

Say foo is one of those sub-directories and DocRoot is
/var/lib/projects.

So a request for:

    GET http://bumby:88/foo/env.cgi/other/foo

results in this message in the error log:

    [error] .. client denied by server configuration: /var/lib/projects/other

If I enable access to the doc root then this error doesn't show up.
It's interesting that only the first extra path segment is used
("other", but not that last "foo").

Can someone explain this behavior?


Here's my complete httpd.conf file:

    ServerRoot /etc/apache2
    User www-data
    Group www-data
    Listen 88
    PidFile /var/run/apache2.pid
    ErrorLog /var/log/apache2/error.log
    TypesConfig /etc/mime.types
    ServerName bumby

    LoadModule cgi_module /usr/lib/apache2/modules/mod_cgi.so

    # Restrictive by default
    <Directory />
        Options None
        AllowOverride None
        Deny from all
    </Directory>


    DocumentRoot /var/lib/projects

    <Directory /var/lib/projects>
        # Uncomment below and error does not show up
        #Allow from all

        <files env.cgi>
            SetHandler cgi-script
            Options +ExecCGI
        </files>
    </Directory>

    <Directory /var/lib/projects/foo>
        Allow from all
    </Directory>





-- 
Bill Moseley
moseley@hank.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Why sub-requests for /?

[Bill Moseley <mo...@hank.org>]

On Tue, Jun 07, 2005 at 09:07:14AM +0200, André Malo wrote:

> >     GET http://bumby:88/foo/env.cgi/other/foo
> > 
> > results in this message in the error log:
> > 
> >     [error] .. client denied by server configuration: /var/lib/projects/other
> > 
> > If I enable access to the doc root then this error doesn't show up.
> > It's interesting that only the first extra path segment is used
> > ("other", but not that last "foo").
> > 
> 
> That's probably the subrequest lookup needed to build the PATH_TRANSLATED variable.

Ok, interesting.  I guess I need to try modifying mod_cgi.c.

My question now is if my unusual configuration, with DocumentRoot
being Deny from all, but sub-dirs of DocumentRoot as Allow from all is
a reasonably configuration.  That is, should mod_cgi be taking this
possibility into consideration (or maybe ap_sub_req_lookup_uri() is not
the right API or needs to disable logging or some such thing).

That is, what's the next step?

  - accept this as a problem in my configuration (which I don't
  think it is.

  - file a bug report

  - ask on dev@apache first?

-- 
Bill Moseley
moseley@hank.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Why sub-requests for /?

[André Malo <nd...@perlig.de>]

* Bill Moseley <mo...@hank.org> wrote:

> I have a setup with the document root with no access, but then I allow
> access to individual subdirectories (normally via basic auth).
> 
> Say foo is one of those sub-directories and DocRoot is
> /var/lib/projects.
> 
> So a request for:
> 
>     GET http://bumby:88/foo/env.cgi/other/foo
> 
> results in this message in the error log:
> 
>     [error] .. client denied by server configuration: /var/lib/projects/other
> 
> If I enable access to the doc root then this error doesn't show up.
> It's interesting that only the first extra path segment is used
> ("other", but not that last "foo").
> 
> Can someone explain this behavior?

That's probably the subrequest lookup needed to build the PATH_TRANSLATED variable.

nd

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org