httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Berry <matthew.william.be...@gmail.com>
Subject Re: [users@httpd] SCGI and Order
Date Fri, 09 Dec 2011 18:24:44 GMT
Thank you,
that is exactly what I needed. I updated my post on LinuxQuestions to
reflect this.

Sincerely,
Matthew Berry

On Thu, Dec 8, 2011 at 4:01 AM, Pete Houston <ph1@openstrike.co.uk> wrote:
> Hello Matthew,
>
> It looks as though you are applying restrictions based on the filesystem
> and then are including a directive which dissociates the URL from that
> filesystem, thus bypassing your restrictions.
>
> Have you read this part of the documentation?
> http://httpd.apache.org/docs/2.2/sections.html#file-and-web
>
> Hopefully that will explain things,
>
> Pete
>
> On Thu, Dec 08, 2011 at 01:00:39AM -0500, Matthew Berry wrote:
>> What I am seeing is a situation where access to a directory has been
>> restricted using the following abbreviated config file, and everything
>> works just fine. Then, after adding this line: "SCGIMount /log
>> 127.0.0.1:5000", requests to /log are served even though they had
>> previously been blocked. I am assuming that this is some sort of bug
>> or oversight, or that I am completely misunderstanding how security
>> works in apache. I've previously posted this question over at
>> LinuxQuestions and have not yet received any offers after about 3
>> weeks. The thread can be found here:
>> http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/
>>
>> <VirtualHost *:81>
>>         ServerAdmin xxxx@xxx.xxx
>>         ServerName  www.xxxxx.xxx:81
>>         DocumentRoot /var/www
>>         LogLevel warn
>>         ErrorLog /var/log/apache2/altport-error.log
>>         CustomLog /var/log/apache2/altport-access.log combined
>>         <Directory />
>>                 Options FollowSymLinks
>>                 AllowOverride None
>>                 Order allow,deny
>>                 Deny from all
>>         </Directory>
>>         <Directory /var/www>
>>                 Order allow,deny
>>                 Allow from all
>>         </Directory>
>>         <Directory /var/www/log>
>>                 Order allow,deny
>>                 Deny from all
>>         </Directory>
>> </VirtualHost>
>
> --
> Openstrike - improving business through open source
> http://www.openstrike.co.uk/ or call 01722 770036 or 07092 020107
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAk7gfOcACgkQdzfnYmsKt535YgCdG5I8bgTZ/UlDTq5ENx4tZZM3
> waMAni5IVnpVqdcpH+OJJFlbrcA77JHG
> =CNsj
> -----END PGP SIGNATURE-----
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message