You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Matthew Berry <ma...@gmail.com> on 2011/12/08 07:00:39 UTC

[users@httpd] SCGI and Order

Hello, I opted to send a message to this list as an alternative to
filing a bug report as per the procedures on the apache website. I'll
do my best to describe what I've seen in order to best aid those who
are nice enough to offer help.

What I am seeing is a situation where access to a directory has been
restricted using the following abbreviated config file, and everything
works just fine. Then, after adding this line: "SCGIMount /log
127.0.0.1:5000", requests to /log are served even though they had
previously been blocked. I am assuming that this is some sort of bug
or oversight, or that I am completely misunderstanding how security
works in apache. I've previously posted this question over at
LinuxQuestions and have not yet received any offers after about 3
weeks. The thread can be found here:
http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/

<VirtualHost *:81>
        ServerAdmin xxxx@xxx.xxx
        ServerName  www.xxxxx.xxx:81
        DocumentRoot /var/www
        LogLevel warn
        ErrorLog /var/log/apache2/altport-error.log
        CustomLog /var/log/apache2/altport-access.log combined
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Deny from all
        </Directory>
        <Directory /var/www>
                Order allow,deny
                Allow from all
        </Directory>
        <Directory /var/www/log>
                Order allow,deny
                Deny from all
        </Directory>
</VirtualHost>

Sincerely,
Matthew Berry

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SCGI and Order

Posted by Matthew Berry <ma...@gmail.com>.

Thank you,
that is exactly what I needed. I updated my post on LinuxQuestions to
reflect this.

Sincerely,
Matthew Berry

On Thu, Dec 8, 2011 at 4:01 AM, Pete Houston <ph...@openstrike.co.uk> wrote:
> Hello Matthew,
>
> It looks as though you are applying restrictions based on the filesystem
> and then are including a directive which dissociates the URL from that
> filesystem, thus bypassing your restrictions.
>
> Have you read this part of the documentation?
> http://httpd.apache.org/docs/2.2/sections.html#file-and-web
>
> Hopefully that will explain things,
>
> Pete
>
> On Thu, Dec 08, 2011 at 01:00:39AM -0500, Matthew Berry wrote:
>> What I am seeing is a situation where access to a directory has been
>> restricted using the following abbreviated config file, and everything
>> works just fine. Then, after adding this line: "SCGIMount /log
>> 127.0.0.1:5000", requests to /log are served even though they had
>> previously been blocked. I am assuming that this is some sort of bug
>> or oversight, or that I am completely misunderstanding how security
>> works in apache. I've previously posted this question over at
>> LinuxQuestions and have not yet received any offers after about 3
>> weeks. The thread can be found here:
>> http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/
>>
>> <VirtualHost *:81>
>>         ServerAdmin xxxx@xxx.xxx
>>         ServerName  www.xxxxx.xxx:81
>>         DocumentRoot /var/www
>>         LogLevel warn
>>         ErrorLog /var/log/apache2/altport-error.log
>>         CustomLog /var/log/apache2/altport-access.log combined
>>         <Directory />
>>                 Options FollowSymLinks
>>                 AllowOverride None
>>                 Order allow,deny
>>                 Deny from all
>>         </Directory>
>>         <Directory /var/www>
>>                 Order allow,deny
>>                 Allow from all
>>         </Directory>
>>         <Directory /var/www/log>
>>                 Order allow,deny
>>                 Deny from all
>>         </Directory>
>> </VirtualHost>
>
> --
> Openstrike - improving business through open source
> http://www.openstrike.co.uk/ or call 01722 770036 or 07092 020107
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk7gfOcACgkQdzfnYmsKt535YgCdG5I8bgTZ/UlDTq5ENx4tZZM3
> waMAni5IVnpVqdcpH+OJJFlbrcA77JHG
> =CNsj
> -----END PGP SIGNATURE-----
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SCGI and Order

Posted by Pete Houston <ph...@openstrike.co.uk>.

Hello Matthew,

It looks as though you are applying restrictions based on the filesystem
and then are including a directive which dissociates the URL from that
filesystem, thus bypassing your restrictions.

Have you read this part of the documentation?
http://httpd.apache.org/docs/2.2/sections.html#file-and-web

Hopefully that will explain things,

Pete

On Thu, Dec 08, 2011 at 01:00:39AM -0500, Matthew Berry wrote:
> What I am seeing is a situation where access to a directory has been
> restricted using the following abbreviated config file, and everything
> works just fine. Then, after adding this line: "SCGIMount /log
> 127.0.0.1:5000", requests to /log are served even though they had
> previously been blocked. I am assuming that this is some sort of bug
> or oversight, or that I am completely misunderstanding how security
> works in apache. I've previously posted this question over at
> LinuxQuestions and have not yet received any offers after about 3
> weeks. The thread can be found here:
> http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/
> 
> <VirtualHost *:81>
>         ServerAdmin xxxx@xxx.xxx
>         ServerName  www.xxxxx.xxx:81
>         DocumentRoot /var/www
>         LogLevel warn
>         ErrorLog /var/log/apache2/altport-error.log
>         CustomLog /var/log/apache2/altport-access.log combined
>         <Directory />
>                 Options FollowSymLinks
>                 AllowOverride None
>                 Order allow,deny
>                 Deny from all
>         </Directory>
>         <Directory /var/www>
>                 Order allow,deny
>                 Allow from all
>         </Directory>
>         <Directory /var/www/log>
>                 Order allow,deny
>                 Deny from all
>         </Directory>
> </VirtualHost>

-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 or 07092 020107