You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/03/21 04:29:02 UTC
DO NOT REPLY [Bug 41911] New: - SSLRequire does not restrict access to subdirectory under dav
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911
Summary: SSLRequire does not restrict access to subdirectory
under dav
Product: Apache httpd-2
Version: 2.2.4
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
AssignedTo: bugs@httpd.apache.org
ReportedBy: seth@psydpu.adsl.dk
Directory /srv/www/html/dir>
Order allow,deny
Allow from all
<IfModule mod_ssl.c>
DAV on
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_C} eq "DE"
</IfModule>
</Directory>
Directory /srv/www/html/dir/subdir>
Order allow,deny
Allow from all
<IfModule mod_ssl.c>
DAV on
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_C} eq "DK"
</IfModule>
</Directory>
1. Using webdavs to access /dir
2. Using a DE certificate, it is possible to get access to /dir
where dir/subdir is also shown. Under webdavs, it is also possible
to get access to /dir/subdir Is that "expected" behaviour?
3. After getting access to /dir/subdir, where it is possible to see
the files in /dir/subdir, attempts to access
subdirectories /dir/subdir/subsubdir are rejected (according to the
error message in the log file, because the "Requirement expression not
fulfilled" (as it should)
3. If one attempts to access /dir/subdir directory (via URL, either via https:
or webdavs:), then it is rejected with the "Requirement expression not
fulfilled" (as it should)
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911
------- Additional Comments From basant.kukreja@sun.com 2007-03-26 18:07 -------
Yes, If I access the /test/subdir using "DE" client certificate, I get 403.
-------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem -E
certs/client2.pem:password --dump-header - -o -
https://lbasantk3.red.iplanet.com:4005/test/subdir/
HTTP/1.1 403 Forbidden
Date: Tue, 27 Mar 2007 00:39:18 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 214
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/subdir/
on this server.</p>
</body></html>
-------------------------------------------
In error log, I see
[Mon Mar 26 17:39:18 2007] [info] Failed expression: %{SSL_CLIENT_S_DN_C} eq "US"
[Mon Mar 26 17:39:18 2007] [error] [client 192.18.120.216] access to
/disk/apache/apache2/htdocs/test/subdir/ failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)
Probably regular expression can help you e.g.
<Directory ~ "/disk/apache/apache2/htdocs/test$">
...
SSLRequire %{SSL_CLIENT_S_DN_C} eq "US"
</Directory>
I believe you certainly can write a special module which can be used to check
the URI and make such requirements.
>Maybe it should be an
>enhancement request to allow the possibility to turn off or override
>the "directory cascade" ?
Turning off the "directory cascade" is not intuitive and may be considered a
big security hole. Unix OS provides a file system and doesn't provide any way
to set this to off (afaik).
Also I believe, you can achieve your target by redisigning the
files/directory and place various constraints e.g
/test : provide constraint like %{SSL_CLIENT_S_DN_C} eq "US" or eq "DE"
/test/files_US : if accessibly by client %{SSL_CLIENT_S_DN_C} eq "US"
/test/files_DE : if accessibly by client %{SSL_CLIENT_S_DN_C} eq "DE"
Should we close this bug as "Invalid"?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911
jorton@redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |RESOLVED
Resolution| |INVALID
------- Additional Comments From jorton@redhat.com 2007-03-27 01:57 -------
Yes, thanks a lot to for the detailed analysis on this.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911
------- Additional Comments From seth@psydpu.adsl.dk 2007-03-26 16:50 -------
Thank you for your detailed analysis.
I am using Konqueror 3.5.6 (from KDE) as client, where it is possible
to use webdavs:// or https:// as a URL.
I was not able to reproduce the problem today. I suspect/believe the
explanation is that the certificates were being cached by Konqueror.
I had suspected this problem, before submitting my report, and therefore
tried both to restart the server and open a "new" Konqueror. However, I
believe that I did not close ALL the open Konqueror clients, and that seems to
be the source of the problem I reported. (I more or less repeated such an
experiment today -- that is, I could reproduce the problem that I reported, but
I now understand that the problem is with the client and not Apache).
While you have your test set up. I would like to ask a related question. In
your first setup, if you (a) try to access /test/subdir with (b)) a 'DE
certificate), then (c) you will see that it is *impossible* because
[info] Access to /disk/apache/apache2/htdocs/test/subdir/ for 123.456.789.123
(requirement expression not fulfilled)
[info] Failed expression: %{SSL_CLIENT_S_DN_C} eq "US"
That is, the SSLRequire from Directory cascades to test/subdir (as it is
supposed to), but this makes it impossible then for a person with only a DE
certificate to get access to the subdirectory.
I am able to reliably repeat that problem.
As best as I can tell, this cannot be overcome with a special Boolean
combination to SSLRequire, and the way Apache is currently designed, there does
not seem any possibility to override this behavior.
Is there a good reason to maintain that behavior? Maybe it should be an
enhancement request to allow the possibility to turn off or override
the "directory cascade" ?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911
basant.kukreja@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
------- Additional Comments From basant.kukreja@sun.com 2007-03-26 13:28 -------
As you written in your second point :
>2. Using a DE certificate, it is possible to get access to /dir
>where dir/subdir is also shown. Under webdavs, it is also possible
>to get access to /dir/subdir Is that "expected" behaviour?
I could not reproduce the issue. Here is my experimentation :
Here is my configuration :
<Directory "/disk/apache/apache2/htdocs/test">
Order allow,deny
Allow from all
Options Indexes
<IfModule mod_ssl.c>
DAV on
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_C} eq "US"
</IfModule>
</Directory>
<Directory "/disk/apache/apache2/htdocs/test/subdir">
Order allow,deny
Allow from all
Options Indexes
<IfModule mod_ssl.c>
DAV on
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_C} eq "DE"
</IfModule>
</Directory>
Using "US" based client certificate when I send the /test/ request then I
don't see the subdir in directory listing.
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2007 20:09:53 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 256
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /test</title>
</head>
<body>
<h1>Index of /test</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="test.html"> test.html</a></li>
</ul>
</body></html>
------------------------------------------------------
If I try to access /test/subdir/ then I get permission
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/subdir/
HTTP/1.1 403 Forbidden
Date: Mon, 26 Mar 2007 20:10:55 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 214
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/subdir/
on this server.</p>
</body></html>
------------------------------------------------------
Now If I change the subdirectory configuration e.g
<Directory "/disk/apache/apache2/htdocs/test/subdir">
Order allow,deny
Allow from all
Options Indexes
<IfModule mod_ssl.c>
DAV on
SSLOptions +StrictRequire
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_S_DN_C} eq "US"
</IfModule>
</Directory>
[/disk/apache/apache2] $ bin/apachectl restart
Now if I send the request again then I see the "/subdir" as part of my
listing.
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2007 20:11:17 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 296
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<title>Index of /test</title>
</head>
<body>
<h1>Index of /test</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="subdir/"> subdir/</a></li>
<li><a href="test.html"> test.html</a></li>
</ul>
</body></html>
------------------------------------------------------
Also as expected, if I send the /test/subdir/ URI then I get the listing.
Kindly provide more information which could be helpful to reproduce the issue.
Also kindly provide information about which webdav tool you are using.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 41911] - SSLRequire does not restrict access to subdirectory under dav
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41911>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=41911
basant.kukreja@sun.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |basant.kukreja@sun.com
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org