httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Schulman <and...@alumni.utexas.net>
Subject [users@httpd] nested Require group?
Date Wed, 18 Aug 2010 15:23:20 GMT
I have outer and inner directories that I want to protect with different
Require groups directives:

  <Directory /var/www/html>
    Require group outer
  </Directory

  <Directory /var/www/html/inner>
    Require group inner
  </Directory>

My hope was that the inner Require directive would override the outer one,
allowing me to protect the inner directory with the more restrictive inner
group.  Or equivalently, that the two Require group directives would be
ANDed together.

Instead, it appears that the two directives are being ORed together,
resulting in a *less* restrictive policy for the inner directory - the
opposite of what I wanted.  Anyone in either the outer *or* the inner is
allowed access to inner.

Does this seem right?  Does anyone know of a way to AND Require group
directives?

The Apache documentation says that when multiple groups are put on the same
Require group line, e.g.

  Require group outer inner

then the user has to belong to only one of the listed groups, i.e. the
groups are ORed.  However, it says nothing at all AFAICT about what happens
when you use multiple Require group statements.  One might infer that those
are also ORed, and that seems to be what happens... but the documentation
doesn't say.

Thanks,
Andrew


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message