Re: Apache directory access & Suse AppArmor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric,

I am clear with how AppArmor work and how to set them up correctly.
What I do not have a clear picture is why this setting below
still not allow any network to access this particular directory
unless I have it define as ALLOW FROM ALL.

** This syntax and options will work ****
  <Directory "/srv/www/my-domain/images/">
     Allow from all
  </Directory>



** This syntax and options will not allow any network to access *********
  <Directory "/srv/www/my-domain/images/">
     Options None
     Order deny,allow
     Deny from all
     Allow from 172.10.10.0/255.255.255.0
  </Directory>



** However, if I use this syntax and options it will work or allow every network ****
  <Directory "/srv/www/my-domain/images/">
     Allow from all
  </Directory>



Thank you,

Y




----- Original Message -----
From: "Eric Covener" <covener@xxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Sent: Thursday, October 16, 2008 1:48:23 PM (GMT-0500) America/New_York
Subject: Re:  Apache directory access & Suse AppArmor

On Wed, Oct 15, 2008 at 10:55 PM, Yoom Nguyen <yoom@xxxxxxxxxxxxxx> wrote:
> Eric,
>
> I got most of what you described but there are still something unclear to me.
> If I want the WHOLE directory /images to allow view by the OS (AppArmor) and deny view via the network by
> every other network except net work 172.10.10.0/255.255.255.0 to read.
> Only allow network 172.10.10.0/255.255.255.0 to view or access.
> What are the syntax look like?

Sorry, I can only speak to the Apache side of it, which looks fine. Of
course if you configure your OS to make something unreadable, the
apache access control is moot.


> 2. From Appache configuration file, add the following lines:
>
>  <Directory "/srv/www/my-domain/images/">
>     Options None
>     Order deny,allow
>     Deny from all
>     Allow from 172.10.10.0/255.255.255.0
>  </Directory>



-- 
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux