You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Stephen Fitzgerald <sj...@twpo.com.au> on 1997/03/18 04:50:03 UTC

config/239: Directory config inconsistent

	The contract type is `' with a response time of 3 business hours.
	A first analysis should be sent before: Tue Mar 18 11:00:00 PST 1997


>Number:         239
>Category:       config
>Synopsis:       Directory config inconsistent
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar 17 19:50:00 1997
>Originator:     sjf@twpo.com.au
>Organization:
apache
>Release:        1.2b7
>Environment:
Linux 3.0.3, kernel 2.0.18, gcc 2.7.2

Netscape 3.0.1 Gold
>Description:
I have a number of directories I need to protect. 1 protection configuration 
works and the others do not.

The following configuration works as expected - only users with
password in .htpasswd file can access the directory.

# directory secured with .htaccess within directory                             
<Directory /home/httpd/html/prot>
        Options Indexes FollowSymlinks
        AllowOverride AuthConfig
        AuthUserFile /etc/httpd/conf/.htpasswd
        AuthGroupFile /etc/httpd/conf/.htgroup
        AuthName Password
        AuthType Basic
        require group all-the-users
        <Limit GET PUT POST>
                order deny,allow
                deny from all
                allow from twpo.com.au, defence.gov.au
        </Limit>
</Directory>

The following protection config does not work.

<Directory /home/httpd/html/SLF/weekly-files/pp>                       
        Options Indexes FollowSymlinks
        AllowOverride All
        AuthUserFile /etc/httpd/conf/.slf-man-pp
        AuthGroupFile /etc/httpd/conf/.slf-managers
        AuthName Password
        AuthType Basic
        require group all-the-managers
        <Limit GET PUT POST>
                order deny,allow
                deny from all
                allow from twpo.com.au, defence.gov.au
        </Limit>

</Directory>       

The only difference I can determine is that the second one is not in 
the root of the server - however a move to root does not fix it. 

The error log does not report anything, an incorrect passwd however is
reported. The user puts in passwd after user name and gets an 
"Authorisation Failed - Retry?" message.

I have tried just about all different configs, using Files, Location but
all fail.

Any help appreciated
>How-To-Repeat:
www.twpo.com.au/prot/times.html    - works OK
www.twpo.com.au/SLF/weekly-files/pp/p1_02pp.html  - fails

I will create a user apache, passwd apache

>Fix:
I wish I did!%2
>Audit-Trail:
>Unformatted:

Re: config/239: Directory config inconsistent

Posted by Dean Gaudet <dg...@arctic.org>.

Just to be sure, I'll ask the obvious questions... you have put the proper
accounts into .slf-man-pp and .slf-managers?

Are there any .htaccess files in the second directory tree?  (Are there any
in the first?)

BTW we can't test those links because of the domain restriction.  I get
a 403 for the first and a 404 for the second.

Dean

On Mon, 17 Mar 1997, Stephen Fitzgerald wrote:

> 
> 	The contract type is `' with a response time of 3 business hours.
> 	A first analysis should be sent before: Tue Mar 18 11:00:00 PST 1997
> 
> 
> >Number:         239
> >Category:       config
> >Synopsis:       Directory config inconsistent
> >Confidential:   no
> >Severity:       critical
> >Priority:       medium
> >Responsible:    apache (Apache HTTP Project)
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Mon Mar 17 19:50:00 1997
> >Originator:     sjf@twpo.com.au
> >Organization:
> apache
> >Release:        1.2b7
> >Environment:
> Linux 3.0.3, kernel 2.0.18, gcc 2.7.2
> 
> Netscape 3.0.1 Gold
> >Description:
> I have a number of directories I need to protect. 1 protection configuration 
> works and the others do not.
> 
> The following configuration works as expected - only users with
> password in .htpasswd file can access the directory.
> 
> # directory secured with .htaccess within directory                             
> <Directory /home/httpd/html/prot>
>         Options Indexes FollowSymlinks
>         AllowOverride AuthConfig
>         AuthUserFile /etc/httpd/conf/.htpasswd
>         AuthGroupFile /etc/httpd/conf/.htgroup
>         AuthName Password
>         AuthType Basic
>         require group all-the-users
>         <Limit GET PUT POST>
>                 order deny,allow
>                 deny from all
>                 allow from twpo.com.au, defence.gov.au
>         </Limit>
> </Directory>
> 
> The following protection config does not work.
> 
> <Directory /home/httpd/html/SLF/weekly-files/pp>                       
>         Options Indexes FollowSymlinks
>         AllowOverride All
>         AuthUserFile /etc/httpd/conf/.slf-man-pp
>         AuthGroupFile /etc/httpd/conf/.slf-managers
>         AuthName Password
>         AuthType Basic
>         require group all-the-managers
>         <Limit GET PUT POST>
>                 order deny,allow
>                 deny from all
>                 allow from twpo.com.au, defence.gov.au
>         </Limit>
> 
> </Directory>       
> 
> The only difference I can determine is that the second one is not in 
> the root of the server - however a move to root does not fix it. 
> 
> The error log does not report anything, an incorrect passwd however is
> reported. The user puts in passwd after user name and gets an 
> "Authorisation Failed - Retry?" message.
> 
> I have tried just about all different configs, using Files, Location but
> all fail.
> 
> Any help appreciated
> >How-To-Repeat:
> www.twpo.com.au/prot/times.html    - works OK
> www.twpo.com.au/SLF/weekly-files/pp/p1_02pp.html  - fails
> 
> I will create a user apache, passwd apache
> 
> >Fix:
> I wish I did!%2
> >Audit-Trail:
> >Unformatted:
> 
> 
>