You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Justin Booth <ro...@insaneprogramming.com> on 2003/12/13 03:24:11 UTC
[users@httpd] Satisfy Any -> problem with file level access ??
Hey all,
I think I found a bug that involves "satisfy any". According to the
documentation satisfy is supposed to deal with username/password and client
address, but I found that when I use a "satisfy any" in an .htaccess , all
my File and Directory tags are overridden.
For example:
In my httpd.conf I have directives that specify files that should not be
able to be retrieved from my server:
<Files ~ "\.(inc)$">
Order allow,deny
deny from all
</Files>
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Then in an .htaccess I have:
<Limit GET POST>
order deny,allow
deny from all
allow from 10.0.0.100
require valid user
</Limit>
Satisfy Any
The problem comes is that the satisfy any overrides the <File> tags... and
making it so that any person with either credentials can pull all *.inc
files and .htaccess files through the web. The way the documentation is
written, it sounds like the "Satisfy Any" only deals with username/password
and ip addresses but not the File access levels.
Can someone explain to me how I configure a satisfy any scenario where I can
authenticate via ip or username and still be able to deny *.inc's and
.htaccess files.
Thanks in advance,
Justin
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Satisfy Any -> problem with file level access ??
Posted by Joshua Slive <jo...@slive.ca>.
On Sun, 14 Dec 2003, Joshua Slive wrote:
> I don't know of any easy solution for this. A not-so-bad solution would
> be
>
> RewriteEngine On
> RewriteRule \.ht - [F]
Hmmm... That would hit file.html as well. Better try
RewriteRule ^\.ht - [F]
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Satisfy Any -> problem with file level access ??
Posted by Joshua Slive <jo...@slive.ca>.
On Fri, 12 Dec 2003, Justin Booth wrote:
> Hey all,
> I think I found a bug that involves "satisfy any". According to the
> documentation satisfy is supposed to deal with username/password and client
> address, but I found that when I use a "satisfy any" in an .htaccess , all
> my File and Directory tags are overridden.
> <Limit GET POST>
Don't use <Limit>. See the docs on <Limit> for more details.
> The problem comes is that the satisfy any overrides the <File> tags... and
> making it so that any person with either credentials can pull all *.inc
> files and .htaccess files through the web. The way the documentation is
> written, it sounds like the "Satisfy Any" only deals with username/password
> and ip addresses but not the File access levels.
The documentation is correct, though you are right that this situation is
suboptimal. The fact is, "Deny from all" is a type of host-based access
control. It just happens to apply to "all" hosts. So when you use
"Satisfy any", the user-auth can override the host-based access controls
and allow access.
I don't know of any easy solution for this. A not-so-bad solution would
be
RewriteEngine On
RewriteRule \.ht - [F]
Since mod_rewrite works completely outside the usual auth/access system,
this should not be affected by Satisfy.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org