Apache <Files>...</Files> problem
Hi all - happy new year to everyone! I'm having a problem with the <Files> directive under SuSE 9.2 pro. I have posted on users@httpd.apache.org for help, but to no avail. People have checked my httpd.conf directory syntax as OK, and I still do not appear to be getting the correct functionality for the <Files>...</Files> container. Using the following in my httpd.conf file: <Directory /srv/www/htdocs/KAR/websites/pub/computing/apache-test> Options None Order deny,allow Deny from all <Files *.php> Order deny,allow Deny from all </Files> </Directory> (I restarted apache with /etc/init.d/apache2 stop, then start.) If you go to that directory, you will get permission denied for the directory, which is not even listed in the /pub/computing/ directory, as expected. If you then add the following filename, get_vars.php, you will be able to access that file, as well as me from localhost. Here is the URL: http://www.karsites.net/KAR/websites/pub/computing/apache-test/get_vars. php And the log entries are: For an unsuccessfull request using: http://www.karsites.net/KAR/websites/pub/computing/apache-test/ 127.0.0.1 - - [29/Dec/2005:20:48:26 +0000] "GET /KAR/websites/pub/computing/apache-test/ HTTP/1.1" 403 350 For a successfull request using: http://www.karsites.net/KAR/websites/pub/computing/apache-test/get_vars.php 127.0.0.1 - - [29/Dec/2005:20:50:14 +0000] "GET /KAR/websites/pub/computing/apache-test/get_vars.php HTTP/1.1" 200 1721 Any ideas as to why this is happening please? Regards - Keith Roberts
On Sunday 01 January 2006 12:31 pm, suse@karsites.net wrote:
<Directory /srv/www/htdocs/KAR/websites/pub/computing/apache-test> Options None Order deny,allow Deny from all <Files *.php> Order deny,allow Deny from all </Files> </Directory>
(I restarted apache with /etc/init.d/apache2 stop, then start.)
If you go to that directory, you will get permission denied for the directory, which is not even listed in the /pub/computing/ directory, as expected.
You have Options None, so unless you have an index in that directory, I believe it is correct for apache to throw a permission denied. Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.10-default x86_64 SuSE Linux 9.3 (x86-64)
That is correct Scott. My point is with that setup, althought Options is none and access to the directory is forbidden, which is what I wanted, I can still access the file get_vars.php in the forbidden directory. Is that correct behaviour for the setting of the <Files> container? Keith On Sun, 1 Jan 2006, Scott Leighton wrote:
To: suse-security@suse.com From: Scott Leighton <helphand@pacbell.net> Subject: Re: [suse-security] Apache <Files>...</Files> problem
On Sunday 01 January 2006 12:31 pm, suse@karsites.net wrote:
<Directory /srv/www/htdocs/KAR/websites/pub/computing/apache-test> Options None Order deny,allow Deny from all <Files *.php> Order deny,allow Deny from all </Files> </Directory>
(I restarted apache with /etc/init.d/apache2 stop, then start.)
If you go to that directory, you will get permission denied for the directory, which is not even listed in the /pub/computing/ directory, as expected.
You have Options None, so unless you have an index in that directory, I believe it is correct for apache to throw a permission denied.
Scott
On Sonntag, 1. Januar 2006 21:31 suse@karsites.net wrote:
I'm having a problem with the <Files> directive under SuSE 9.2 pro. ... Using the following in my httpd.conf file:
<Directory /srv/www/htdocs/KAR/websites/pub/computing/apache-test> Options None Order deny,allow Deny from all <Files *.php> Order deny,allow Deny from all </Files> </Directory>
This should hide the directory apache-test/ in the directory listing of computing/, deny access to computing/apache-test/ for anyone and additionally somewhat superfluous deny access for anyone to *.php files within computing/apache-test/ That's also exactly what happens on my server with that config.
If you go to that directory, you will get permission denied for the directory, which is not even listed in the /pub/computing/ directory, as expected. It's ok you don't even see apache-test/ cause it's declared taboo by the configuration.
If you then add the following filename, get_vars.php, you will be able to access that file, as well as me from localhost. That's really astonishing, this should not work with that config and also doesn't on my server.
I assume most probably you have an additional directive somewhere that interferes with the above one or you might have mixed up different config files, startup scripts, posted a cutout of the wrong file or so... Otherwise this could be a serious bug. First you should check this with a new, very minimalistic httpd.conf that you expand step by step with single directives of the current conf up to the point where this strange behaviour appears. Hope this helps a bit, Joe
Here is the URL:
http://www.karsites.net/KAR/websites/pub/computing/apache-test/get_va rs. php
And the log entries are:
For an unsuccessfull request using: http://www.karsites.net/KAR/websites/pub/computing/apache-test/
127.0.0.1 - - [29/Dec/2005:20:48:26 +0000] "GET /KAR/websites/pub/computing/apache-test/ HTTP/1.1" 403 350
For a successfull request using: http://www.karsites.net/KAR/websites/pub/computing/apache-test/get_va rs.php
127.0.0.1 - - [29/Dec/2005:20:50:14 +0000] "GET /KAR/websites/pub/computing/apache-test/get_vars.php HTTP/1.1" 200 1721
Any ideas as to why this is happening please?
Regards - Keith Roberts
Hi Joe. I have downloaded the latest version of apache 2.0.55. Used their httpd-std.conf as base point to work with. Went through that file, and added my own config Include files in the appropriate places. Still have the problem. Do you have any links to a minimal httpd.conf that I can start again with please? Keith On Sun, 1 Jan 2006, Joe Knall wrote:
To: suse-security@suse.com From: Joe Knall <joe.knall@gmx.net> Subject: Re: [suse-security] Apache <Files>...</Files> problem
This should hide the directory apache-test/ in the directory listing of computing/, deny access to computing/apache-test/ for anyone and additionally somewhat superfluous deny access for anyone to *.php files within computing/apache-test/ That's also exactly what happens on my server with that config.
That's really astonishing, this should not work with that config and also doesn't on my server.
I assume most probably you have an additional directive somewhere that interferes with the above one or you might have mixed up different config files, startup scripts, posted a cutout of the wrong file or so... Otherwise this could be a serious bug. First you should check this with a new, very minimalistic httpd.conf that you expand step by step with single directives of the current conf up to the point where this strange behaviour appears. Hope this helps a bit, Joe
On Sonntag, 1. Januar 2006 23:04 suse@karsites.net wrote:
Hi Joe.
I have downloaded the latest version of apache 2.0.55.
Used their httpd-std.conf as base point to work with.
Went through that file, and added my own config Include files in the appropriate places. Still have the problem.
Do you have any links to a minimal httpd.conf that I can start again with please?
Keith
Well, I don't but I'll walk over my current conf and send it to you off list, may take an hour or so. Joe
Thats very kind of you Joe. Will be looking forward to that. Keith On Sun, 1 Jan 2006, Joe Knall wrote:
To: suse-security@suse.com From: Joe Knall <joe.knall@gmx.net> Subject: Re: [suse-security] Apache <Files>...</Files> problem
Do you have any links to a minimal httpd.conf that I can start again with please?
Keith
Well, I don't but I'll walk over my current conf and send it to you off list, may take an hour or so. Joe
k
participants (3)
-
Joe Knall -
Scott Leighton -
suse@karsites.net