You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marc <ma...@trash-mail.com> on 2008/01/15 13:22:18 UTC
[users@httpd] Re: Apache ACL
Boyle Owen <Owen.Boyle <at> swx.com> writes:
>
> The problem you describe has no obvious solution, so there must be
> additional config directives interfering with your setup. See notes
> below:
>
> > -----Original Message-----
> > From: news [mailto:news <at> ger.gmane.org] On Behalf Of Marc
> > Sent: Monday, January 14, 2008 4:46 PM
> > To: users <at> httpd.apache.org
> > Subject: [users <at> httpd] Apache ACL
> >
> > Hello people,
> >
> > following issue:
> >
> > Here is the directory layout
> > |-- dir1
> > | |-- dir2
> > | | `-- dir3
> >
> > In dir1 is a .htaccess:
> >
> > <FilesMatch "\.php$">
> > Order Deny,Allow
> > Deny from all
> > </FilesMatch>
> >
> > Directory dir3 contains an .htacess with "Options +Indexes"
> > and .gif-files only.
> >
> > If I remove the .htaccess in dir1 the directory listing is displayed.
>
> In which dir - dir3?
Yes.
>
> >
> > If I keep it, the .htaccess in dir3 seems to be ignored as
> > Error 403 (Forbidden)
> > is returned.
>
> From what URL?
Well, from http://server_name_of_virtual_host/dir1/dir2/dir3/
> What is in the error log for this request?
I guess now I see the problem:
[error] [client 88.xx.xx.xx.xx] client denied by server configuration:
/path/to/dir3/index.php
However, there is no index.php in that directory. Alone it being mentioned in
the DirectoryIndex seems to be enough for the access to be denied :-\ Strange
behavior.
regards,
Marc
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: Apache ACL
Posted by Christian Folini <ch...@post.ch>.
On Tue, Jan 15, 2008 at 03:44:11PM +0100, Boyle Owen wrote:
> That's a matter of opinion - I guess you are expecting it only to block
> the PHP file if it exists. But that would mean that apache would have to
> stat the file (ie, expensive file operation) even though it knows that
> it is going to deny access anyway. That seems pretty pointless in the
> general case so it just sends the 403 straight away, before it wastes
> time looking up the file.
I think it is also security relevant. If you would send a 403 on
an existing file and 404 on a non-existing one, an attacker could
use this behaviour to scan a site.
regs,
Christian
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Re: Apache ACL
Posted by Boyle Owen <Ow...@swx.com>.
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Marc
> Sent: Tuesday, January 15, 2008 1:22 PM
> To: users@httpd.apache.org
> Subject: [users@httpd] Re: Apache ACL
>
> Boyle Owen <Owen.Boyle <at> swx.com> writes:
>
> >
> > The problem you describe has no obvious solution, so there must be
> > additional config directives interfering with your setup. See notes
> > below:
> >
>
> [error] [client 88.xx.xx.xx.xx] client denied by server configuration:
> /path/to/dir3/index.php
>
> However, there is no index.php in that directory.
> Alone it
> being mentioned in
> the DirectoryIndex
Aha! that's the "additional config directives interfering with your
setup"... You didn't mention you had a DirectoryIndex directive
somewhere...
What's happening is:
- Apache gets request for dir3
- DirectoryIndex tells it to look for index.php
- FileMatch block matches index.php and so triggers a 403
> seems to be enough for the access to be
> denied :-\ Strange
> behavior.
That's a matter of opinion - I guess you are expecting it only to block
the PHP file if it exists. But that would mean that apache would have to
stat the file (ie, expensive file operation) even though it knows that
it is going to deny access anyway. That seems pretty pointless in the
general case so it just sends the 403 straight away, before it wastes
time looking up the file.
Rgds,
Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored.
>
> regards,
> Marc
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. The sender's company reserves the right to monitor all e-mail communications through their networks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org