httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pete Houston <...@openstrike.co.uk>
Subject Re: [users@httpd] SCGI and Order
Date Thu, 08 Dec 2011 09:01:27 GMT
Hello Matthew,

It looks as though you are applying restrictions based on the filesystem
and then are including a directive which dissociates the URL from that
filesystem, thus bypassing your restrictions.

Have you read this part of the documentation?
http://httpd.apache.org/docs/2.2/sections.html#file-and-web

Hopefully that will explain things,

Pete

On Thu, Dec 08, 2011 at 01:00:39AM -0500, Matthew Berry wrote:
> What I am seeing is a situation where access to a directory has been
> restricted using the following abbreviated config file, and everything
> works just fine. Then, after adding this line: "SCGIMount /log
> 127.0.0.1:5000", requests to /log are served even though they had
> previously been blocked. I am assuming that this is some sort of bug
> or oversight, or that I am completely misunderstanding how security
> works in apache. I've previously posted this question over at
> LinuxQuestions and have not yet received any offers after about 3
> weeks. The thread can be found here:
> http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/
> 
> <VirtualHost *:81>
>         ServerAdmin xxxx@xxx.xxx
>         ServerName  www.xxxxx.xxx:81
>         DocumentRoot /var/www
>         LogLevel warn
>         ErrorLog /var/log/apache2/altport-error.log
>         CustomLog /var/log/apache2/altport-access.log combined
>         <Directory />
>                 Options FollowSymLinks
>                 AllowOverride None
>                 Order allow,deny
>                 Deny from all
>         </Directory>
>         <Directory /var/www>
>                 Order allow,deny
>                 Allow from all
>         </Directory>
>         <Directory /var/www/log>
>                 Order allow,deny
>                 Deny from all
>         </Directory>
> </VirtualHost>

-- 
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 or 07092 020107

Mime
View raw message