You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Al Sorrell <as...@troweprice.com> on 1998/03/02 16:57:17 UTC
mod_alias/1899: AuthUser/AuthGroup not working with alias'd directory
>Number: 1899
>Category: mod_alias
>Synopsis: AuthUser/AuthGroup not working with alias'd directory
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Mon Mar 2 08:00:00 PST 1998
>Last-Modified:
>Originator: asorrell@troweprice.com
>Organization:
apache
>Release: 1.2.5
>Environment:
SunOS netops 5.5.1 Generic_103640-08 sun4u sparc SUNW,Ultra-Enterprise
Solaris 2.5.1, Apache 1.2.5 compiled under gcc 2.7.2.1, no compilation problems
>Description:
DocumentRoot is /vol1/apache/htdocs
I have successfully used authentication for a directory under the Document Root
using the following in access.conf:
#
# Prevent directory browsing and .htaccess files in the main tree
#
<Directory />
AllowOverride None
order deny,allow
deny from all
</Directory>
<Directory /vol1/apache/htdocs/net/priv>
AllowOverride None
AuthName netpriv
AuthType Basic
AuthUserFile /vol1/apache/security/passwd
AuthGroupFile /vol1/apache/security/group
require group netpriv webadmin
</Directory>
Attempted access to any file in the directory pops up a password dialog
box as expected & I can access stuff after giving it the right info.
Note that this directory is under the DocumentRoot.
However, if in srm.conf, I set up an alias with the directive:
Alias /mrtg /var/mrtg
and then use a similar construct to provide access control:
<Directory /var/mrtg >
AllowOverride None
AuthName netpriv
AuthType Basic
AuthUserFile /vol1/apache/security/passwd
AuthGroupFile /vol1/apache/security/group
require group netpriv webadmin
</Directory>
and ask for http://server/mrtg/x.html (where x.html exists & has permissions),
I simply get a message:
Forbidden
You don't have permission to access /mrtg/x.html on this server
without ever being prompted for the password. (Whether or not I have
previously authenticated to one of the groups does not matter. I get the
same results if this is the first access after bringing up the browser).
Note, if instead of the restrictive access show above, I instead use the
following, I have no problem accessing the files (as expected - unfortunately
NOBODY has any problems ;)
<Directory /var/mrtg>
Options Indexes FollowSymLinks
AllowOverride AuthConfig
order allow,deny
allow from all
</Directory>
>How-To-Repeat:
not publicly accessible, sorry
>Fix:
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]