Thank you, that is exactly what I needed. I updated my post on LinuxQuestions to reflect this. Sincerely, Matthew Berry On Thu, Dec 8, 2011 at 4:01 AM, Pete Houston <ph1@xxxxxxxxxxxxxxxx> wrote: > Hello Matthew, > > It looks as though you are applying restrictions based on the filesystem > and then are including a directive which dissociates the URL from that > filesystem, thus bypassing your restrictions. > > Have you read this part of the documentation? > http://httpd.apache.org/docs/2.2/sections.html#file-and-web > > Hopefully that will explain things, > > Pete > > On Thu, Dec 08, 2011 at 01:00:39AM -0500, Matthew Berry wrote: >> What I am seeing is a situation where access to a directory has been >> restricted using the following abbreviated config file, and everything >> works just fine. Then, after adding this line: "SCGIMount /log >> 127.0.0.1:5000", requests to /log are served even though they had >> previously been blocked. I am assuming that this is some sort of bug >> or oversight, or that I am completely misunderstanding how security >> works in apache. I've previously posted this question over at >> LinuxQuestions and have not yet received any offers after about 3 >> weeks. The thread can be found here: >> http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/ >> >> <VirtualHost *:81> >> ServerAdmin xxxx@xxxxxxx >> ServerName www.xxxxx.xxx:81 >> DocumentRoot /var/www >> LogLevel warn >> ErrorLog /var/log/apache2/altport-error.log >> CustomLog /var/log/apache2/altport-access.log combined >> <Directory /> >> Options FollowSymLinks >> AllowOverride None >> Order allow,deny >> Deny from all >> </Directory> >> <Directory /var/www> >> Order allow,deny >> Allow from all >> </Directory> >> <Directory /var/www/log> >> Order allow,deny >> Deny from all >> </Directory> >> </VirtualHost> > > -- > Openstrike - improving business through open source > http://www.openstrike.co.uk/ or call 01722 770036 or 07092 020107 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAk7gfOcACgkQdzfnYmsKt535YgCdG5I8bgTZ/UlDTq5ENx4tZZM3 > waMAni5IVnpVqdcpH+OJJFlbrcA77JHG > =CNsj > -----END PGP SIGNATURE----- > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|