You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Bruce Lysik <bl...@yahoo.com> on 2013/08/01 16:18:13 UTC
[users@httpd] autoindex: showing directory it shouldn't
Hi,
Summary of my problem: mod_autoindex is showing directories that a logged in user doesn't have access to when using Require group. When using Require user, it's properly not shown. ShowForbidden is never turned on.
Details:
Oracle Linux 6u4 (RHEL6u4)
httpd-2.2.15-26.0.1.el6.x86_64
mod_authz_ldap-0.26-16.el6.x86_64
* mkdir -p /tmp/test/{1,2,3}
* cat "Require group blahblah "> /tmp/test/1/.htaccess
* set perms to 775
* Configure a virtual host with /tmp/test as the DocumentRoot and setup ldap authorization and authentication via mod_authz_ldap. Test with a user not in group 'blahblah'. Basic auth.
* Turn on Options Index (ShowForbidden is NOT on.)
Browse to the doc root, and I can see directories 1, 2, and 3. (From my understanding, I shouldn't see 1.) Trying to browse into directory 1 and I'm properly forbidden.
* Change .htaccess file to 'Require user notmyuser'
Browse to the doc root. Now I can only see directories 2 and 3. (Proper behavior.)
Any help would be appreciated, this is driving me crazy! Thanks!
--
Bruce Z. Lysik <bl...@yahoo.com>
Re: [users@httpd] autoindex: showing directory it shouldn't
Posted by Bruce Lysik <bl...@yahoo.com>.
Hopefully not too bad form to reply to my own thread, but I have more information.
If I use normal file system based groups, it works as expected, and won't show my directory 1.
So now it appears to be either an issue with mod_authz_ldap or it's apache making a decision not to check a sub-directory .htaccess if using a different authorization method.
--
Bruce Z. Lysik <bl...@yahoo.com>
>________________________________
> From: Bruce Lysik <bl...@yahoo.com>
>To: "users@httpd.apache.org" <us...@httpd.apache.org>
>Sent: Thursday, August 1, 2013 7:18 AM
>Subject: [users@httpd] autoindex: showing directory it shouldn't
>
>
>
>Hi,
>
>
>Summary of my problem: mod_autoindex is showing directories that a logged in user doesn't have access to when using Require group. When using Require user, it's properly not shown. ShowForbidden is never turned on.
>
>
>Details:
>
>
>Oracle Linux 6u4 (RHEL6u4)
>httpd-2.2.15-26.0.1.el6.x86_64
>mod_authz_ldap-0.26-16.el6.x86_64
>
>
>* mkdir -p /tmp/test/{1,2,3}
>* cat "Require group blahblah "> /tmp/test/1/.htaccess
>* set perms to 775
>* Configure a virtual host with /tmp/test as the DocumentRoot and setup ldap authorization and authentication via mod_authz_ldap. Test with a user not in group 'blahblah'. Basic auth.
>* Turn on Options Index (ShowForbidden is NOT on.)
>
>
>Browse to the doc root, and I can see directories 1, 2, and 3. (From my understanding, I shouldn't see 1.) Trying to browse into directory 1 and I'm properly forbidden.
>
>* Change .htaccess file to 'Require user notmyuser'
>
>
>Browse to the doc root. Now I can only see directories 2 and 3. (Proper behavior.)
>
>
>Any help would be appreciated, this is driving me crazy! Thanks!
>
>
>--
>Bruce Z. Lysik <bl...@yahoo.com>
>
>