From: Bruce Lysik <blysik@xxxxxxxxx>
To: "users@xxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxx>
Sent: Thursday, August 1, 2013 7:18 AM
Subject: autoindex: showing directory it shouldn't
Hi,Summary of my problem: mod_autoindex is showing directories that a logged in user doesn't have access to when using Require group. When using Require user, it's properly not shown. ShowForbidden is never turned on.Details:Oracle Linux 6u4 (RHEL6u4)httpd-2.2.15-26.0.1.el6.x86_64mod_authz_ldap-0.26-16.el6.x86_64* mkdir -p /tmp/test/{1,2,3}* cat "Require group blahblah "> /tmp/test/1/.htaccess* set perms to 775* Configure a virtual host with /tmp/test as the DocumentRoot and setup ldap authorization and authentication via mod_authz_ldap. Test with a user not in group 'blahblah'. Basic auth.* Turn on Options Index (ShowForbidden is NOT on.)Browse to the doc root, and I can see directories 1, 2, and 3. (From my understanding, I shouldn't see 1.) Trying to browse into directory 1 and I'm properly forbidden.* Change .htaccess file to 'Require user notmyuser'Browse to the doc root. Now I can only see directories 2 and 3. (Proper behavior.)Any help would be appreciated, this is driving me crazy! Thanks!--
Bruce Z. Lysik <blysik@xxxxxxxxx>
|