You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/01/01 02:56:59 UTC

DO NOT REPLY [Bug 52406] New: Order not inherited by subdirectories

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

             Bug #: 52406
           Summary: Order not inherited by subdirectories
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: calestyo@scientia.net
    Classification: Unclassified


Hi.

Either this is a bug, or a suggestion to change behaviour, or at least a
suggestion to clarify documentation:

It seems that the set "Order" is not inherited as one would expect from the
usual way different sections are merged.

Example:
<Directory /foo>
    Order allow,deny
    Deny from all
</Directory>

<Directory /foo/bar>
    Allow from localhost
</Directory>


I would now assume, that in /foo, everything is denied (which is actually the
case) and that in /foo/bar, everything is denied but accesses from localhost
(as I'd expect that the "Order allow,deny" applies on /foo/bar, too).

It seems however, that "Order" is silently set back to it's default
(deny,allow) in the /foo/bar section.
And therefore... _any_ access is granted.


This seems to be some quite strange behaviour.

Not sure whether any similar directives (e.g. Satisfy) also behave as strange
as this.


Cheers,
Chris.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

--- Comment #5 from Christoph Anton Mitterer <ca...@scientia.net> 2012-01-02 16:32:43 UTC ---
What do you mean by "_compat"?

And again,.. I'm not sure whether this is unreasonable... as far as I
understand the merging behaviour (i.e. no merging) diverts here from the
default... which can be easily forgotten by admins,... and this in turn can
easily lead to security problems.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #2 from Eric Covener <co...@gmail.com> 2012-01-01 03:23:54 UTC ---
What if mod_access/mod_access compat said at the top:

"Every time you use a directive from this module in a new context, you're
starting from scratch"

(this is how it works)

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

--- Comment #1 from Christoph Anton Mitterer <ca...@scientia.net> 2012-01-01 02:08:51 UTC ---
Just checked it,.. e.g. Satisfy behaves as expected, meaning:
Setting the non-default:

<Directory /foo>
   Satisfy any
</Directory>

<Directory /foo/bar>
</Directory>

will also have "Satisfy any" effective in /foo/bar.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #7 from Eric Covener <co...@gmail.com> 2012-01-02 17:20:54 UTC ---
added some refs in r1226477

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

Christoph Anton Mitterer <ca...@scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #3 from Christoph Anton Mitterer <ca...@scientia.net> 2012-01-02 16:20:39 UTC ---
Well ....
a) IMHO this should really be changed... it just seems to contradict how
everything else works,... and is also a security risk, as the default "Order
deny,allow" is rather "open".

Apache 2.3/2.4 could be a good opportunity to introduce such a (major) change
in behaviour.

I think it would also rather "uncritical" to do this...
- The default is "order deny,allow" anyway... if this is set in the parent
directory (or not set at all and therefore left at the default)... it was till
now also the case for subdirs (but just because it "started there from scratch"
and not because it was inherited.

- If the parent directory had the non-default allow,deny set,.. it will now be
inherited and change potentially semantics (cause before it was reset to start
with deny,allow):
But this would not open any security problems,... it would rather just deny any
accesses that were allowed before.
This IS of course some major change, but not a bad one,.. and it would be
quickly noted (in case people wouldn't read the release notes, that would then
notify about this change).


b) In case the inheritance behaviour of Order is not corrected as I propose
above:
I guess this should be noted in serveral places, not just mod_access (which is
depreated anyway:

- mod_access
- mod_authz_host
There it should IMHO not only be noted in the Order directive,.. but also in
the Deny/Allow directives, as they're directly affected

I'd further notice it in:
- sections.html
Perhaps by adding a new small chapter, that informs about this special case.

- security_tips.html
As this is IMHO security related (because the behaviour is strange, and the
default deny,allow is lax)...



Cheers,
Chris.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|Core                        |Documentation

--- Comment #4 from Eric Covener <co...@gmail.com> 2012-01-02 16:26:50 UTC ---
Changing to doc, seems unreasonable to make Order become merged when it never
has been and is now _compat.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 52406] Order not inherited by subdirectories

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=52406

--- Comment #6 from Eric Covener <co...@gmail.com> 2012-01-02 16:48:01 UTC ---
These directives are provided by a compat module in 2.3 and later and replaced
by mod_authz_host and authorization config sections that control merging.

The default behavior of an apache module is actually what
mod_access/mod_access_compat uses -- replacement of the configuration when you
use a directive.  If a module wants to inherit, it has to decide the semantics
and implement the merging.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org