Hello, I opted to send a message to this list as an alternative to
filing a bug report as per the procedures on the apache website. I'll
do my best to describe what I've seen in order to best aid those who
are nice enough to offer help.
What I am seeing is a situation where access to a directory has been
restricted using the following abbreviated config file, and everything
works just fine. Then, after adding this line: "SCGIMount /log
127.0.0.1:5000", requests to /log are served even though they had
previously been blocked. I am assuming that this is some sort of bug
or oversight, or that I am completely misunderstanding how security
works in apache. I've previously posted this question over at
LinuxQuestions and have not yet received any offers after about 3
weeks. The thread can be found here:
http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/
<VirtualHost *:81>
ServerAdmin xxxx@xxxxxxx
ServerName www.xxxxx.xxx:81
DocumentRoot /var/www
LogLevel warn
ErrorLog /var/log/apache2/altport-error.log
CustomLog /var/log/apache2/altport-access.log combined
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
<Directory /var/www>
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/log>
Order allow,deny
Deny from all
</Directory>
</VirtualHost>
Sincerely,
Matthew Berry
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|