Apache - Surprised by web access to .htaccess etc.

I've just stumbled on a surprise, which I thought I'd put on record,
and possibly propose a change to the distributed configuration sample.

In the distributed Apache configuration, there's a stanza like this:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

which denies web access to .htaccess and, possibly, other sensitive
files (.htpasswd maybe).

I was surprised, in one part of our server tree, to find that I
*could*, in fact, view the contents of .htaccess, .htpasswd etc.

Here's the explanation, as I now understand it.

This was an area which is permitted access not only from users at
local addresses, but also, by password, by users at remote addresses.
So it has an .htaccess file containing this kind of stuff:

order deny,allow
deny from all
allow from[list of addresses]

AuthType basic
[etc]

satisfy any
^^^^^^^^^^^

This is overriding the protection that came from the main
configuration for these files. The "satisfy any" is taking effect,
and resulting in the .ht* files being accessible to anyone who can
quote the remote access credentials for the area. This had *not* been
our intention.

What I've found is that if the main configuration is amended by adding
"satisfy all", thus:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
satisfy all
</Files>

then by default it works as intended.

*If* it had been intended to grant access to the .htaccess etc. files
(which in our case it wasn't), then this can still be overridden by an
explicit "satisfy any" in the .htaccess.

This seems to me to be a safer default than what's currently
distributed (our Apache version reports itself as
"Server: Apache/2.0.46 (Red Hat)".

This isn't yet a proper bug report, as I haven't tried the latest
version of Apache; but I can't find any mention of this issue in the
existing bug reports...

Consequently, could I recommend considering adding "satisfy all" to
the distributed main configuration, httpd.conf ?

Thanks.

On Fri, 30 Sep 2005 12:35:08 +0100, "Alan J. Flavell" wrote:

>What I've found is that if the main configuration is amended by adding
>"satisfy all", thus:
>
><Files ~ "^\.ht">
> Order allow,deny
> Deny from all
> satisfy all
></Files>
>
>then by default it works as intended.

I'm still using apache 1.3.33, and this is exactly how it is configured. I
don't know why "satisfy all" was removed in v2.

--
Marc

On Sat, 1 Oct 2005, Marc wrote:

> On Fri, 30 Sep 2005 12:35:08 +0100, "Alan J. Flavell" wrote:
>
> >What I've found is that if the main configuration is amended by adding
> >"satisfy all", thus:
> >
> ><Files ~ "^\.ht">
> > Order allow,deny
> > Deny from all
> > satisfy all
> ></Files>
> >
> >then by default it works as intended.
>
> I'm still using apache 1.3.33, and this is exactly how it is configured.

Thanks. So it is! I even checked an old version 1.3.28 that I
happened to have around here, and it's the same.

> I don't know why "satisfy all" was removed in v2.

Strange, isn't it? I've now downloaded the latest stable version
(2.0.54) and it, too, is missing the "satisfy all" which we see in the
1.3.* versions.

Unless someone from Apache cares to step in and comment on this, I'll
try to take a moment later to call this in to Apache HQ as a buglet in
version 2.

best regards

Alan J. Flavell wrote:

> I've just stumbled on a surprise, which I thought I'd put on record,
> and possibly propose a change to the distributed configuration sample.
>
> In the distributed Apache configuration, there's a stanza like this:
>
> <Files ~ "^\.ht">
> Order allow,deny
> Deny from all
> </Files>
>
> which denies web access to .htaccess and, possibly, other sensitive
> files (.htpasswd maybe).

A handler is an alternate way to protect these files without relying on
permissions settings:

AddHandler ignore .htaccess
AddHandler ignore .htgroup
AddHandler ignore .htpasswd
Action ignore /script/error403

--
Klaus Johannes Rusch
KlausRusch@atmedia.net
http://www.atmedia.net/KlausRusch/

Alan J. Flavell wrote:
>
> Unless someone from Apache cares to step in and comment on this, I'll
> try to take a moment later to call this in to Apache HQ as a buglet in
> version 2.

FWIW, configuration in 2.2 (the forthcoming stable release, to follow
the current 2.1.x betas) is due to be muchly stripped down, with some
*examples* for admins but no big *default* config. Any such changes
in 2.0.x are unlikely now, but your point could be relevant to 2.1/2.2
if it's not adequately commented in the examples.

--
Nick Kew

* Alan J. Flavell wrote:

> Unless someone from Apache cares to step in and comment on this, I'll
> try to take a moment later to call this in to Apache HQ as a buglet in
> version 2.

It just wasn't ported forward ;-)
The Satisfy All was added in 1.3.21, the fork to 2.0 happened before
1.3.10...

nd
--
die (eval q-qq:Just Another Perl Hacker
:-)

# André Malo, <http://pub.perlig.de/> #