You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Soeren Sonnenburg <so...@informatik.hu-berlin.de> on 2001/11/10 13:35:04 UTC

Re: mod_dir/7804: filesmatch/directoryindex access

> >  <Directory />
> >  Order deny,allow
> >  deny from all
> >  </Directory>
> >
> >  <Directory /var/www>
> >  <FilesMatch "\.(html|png|gif|jpeg|jpg|php)$">
> >  Order allow,deny
> >  allow from all
> >  </FilesMatch>
> >  </Directory>

Ok, I got it now. The FilesMatch does not match files (as the name suggest)
but basename's. /var/www/ is denied because `basename /var/www` == www is
not allowed. You consider this as a feature I think that is a BUG.

Therefore adding
<Directory /var/>
        <FilesMatch "^www$">
                order allow,deny
                allow from all
        </FilesMatch>
</Directory>

allows access to /var/www AND ALL FILES named www in directories BELOW THAT.
I can not think of any possible way of denying access to /var/www/www
(http://server/www) while allowing access to /var/www (http://server/) since
FilesMatch does match a directory name, i.e. adding

<Directory /var/www/ >
        <FilesMatch ".*">
        Order Deny,Allow
        Deny from All
        </FilesMatch>
</Directory>

makes http://server not work anymore since /var/www is denied by the
FilesMatch ".*" and one can not use

<Directory /var/www/ >
        Order Deny,Allow
        Deny from All
</Directory>

instead because the <Files> rules are processed after that.

I do not want to use <Location> rules, I just want to make sure one can
access /var/www (via mod_autoindex it is /var/www/index.html) and not
/var/www/www .

This has a more serious consequence for all FilesMatch rules: A config like:

#all files
<FilesMatch ".*">
Options None
AllowOverride None
Order Deny,Allow
Deny from All
</FilesMatch>

#root
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from All
</Directory>

#www
<Directory /var/www>
        <FilesMatch "^www$|\.(html|php|gif|jpeg|jpg|png|js|css|jar)$">
                order allow,deny
                allow from all
        </FilesMatch>
</Directory>

<FilesMatch ".html">
                order allow,deny
                allow from all
</FilesMatch>

would give access to all directories ending on .html, .php, .gif etc and
directory www and therefore e.g. to /var/www/breakme.html/index.html when
mod_autoindex is loaded. I consider this to be a security problem - sorry if
you do not.

> Somehow some 19+ million sites managed to deal with the existing config
schema.  Please

Most of the sites will just run apache as a standalone webserver where
almost every file could be readable without getting into security troubles.
Only very few have got valuable data on their box and want very specific
rules to fortify their machine.

> see apacheweek.com and apachetoday.com for interesting articles on
security, and address
> these configuration questions to the comp.infosystems.www.servers.unix for
further
> discussion.  I certainly wouldn't recommend it, but you could even try
moving mod_dir
> before mod_access.  There are plenty of resources, but this bug report is
closed.

I understand that changing the order of modules such that http://server gets
http://server/index.html might break security, such that this is not the
solution of choice therefore one needs per file access rules which is not
possible as shown in the example above.

Soeren.