You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Al Sorrell <as...@troweprice.com> on 1998/03/02 16:57:17 UTC

mod_alias/1899: AuthUser/AuthGroup not working with alias'd directory

>Number:         1899
>Category:       mod_alias
>Synopsis:       AuthUser/AuthGroup not working with alias'd directory
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Mar  2 08:00:00 PST 1998
>Last-Modified:
>Originator:     asorrell@troweprice.com
>Organization:
apache
>Release:        1.2.5
>Environment:
SunOS netops 5.5.1 Generic_103640-08 sun4u sparc SUNW,Ultra-Enterprise
Solaris 2.5.1, Apache 1.2.5 compiled under gcc 2.7.2.1, no compilation problems
>Description:
DocumentRoot is /vol1/apache/htdocs

I have successfully used authentication for a directory under the Document Root
using the following in access.conf:
#
# Prevent directory browsing and .htaccess files in the main tree
#
<Directory />
        AllowOverride None
        order deny,allow
        deny from all
</Directory>


<Directory /vol1/apache/htdocs/net/priv>
        AllowOverride None
        AuthName netpriv
        AuthType Basic
        AuthUserFile /vol1/apache/security/passwd
        AuthGroupFile /vol1/apache/security/group
        require group netpriv webadmin
</Directory>

Attempted access to any file in the directory pops up a password dialog
box as expected & I can access stuff after giving it the right info.
Note that this directory is under the DocumentRoot.

However, if in srm.conf, I set up an alias with the directive:
Alias   /mrtg   /var/mrtg

and then use a similar construct to provide access control:
<Directory /var/mrtg >
        AllowOverride None
        AuthName netpriv
        AuthType Basic
        AuthUserFile /vol1/apache/security/passwd
        AuthGroupFile /vol1/apache/security/group
        require group netpriv webadmin
</Directory>

and ask for http://server/mrtg/x.html (where x.html exists & has permissions),
I simply get a message:

  Forbidden
  You don't have permission to access /mrtg/x.html on this server

without ever being prompted for the password. (Whether or not I have
previously authenticated to one of the groups does not matter. I get the
same results if this is the first access after bringing up the browser).

Note, if instead of the restrictive access show above, I instead use the
following, I have no problem accessing the files (as expected - unfortunately 
NOBODY has any problems ;)

<Directory /var/mrtg>
        Options Indexes FollowSymLinks
        AllowOverride AuthConfig
        order allow,deny
        allow from all
</Directory>
>How-To-Repeat:
not publicly accessible, sorry
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]