Apache - Surprised by web access to .htaccess etc.
This is a discussion on Apache - Surprised by web access to .htaccess etc. within the Linux Web Servers forums, part of the Web Server and Related Forums category; I've just stumbled on a surprise, which I thought I'd put on record, and possibly propose a change ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-30-2005
|
|||
|
|||
Apache - Surprised by web access to .htaccess etc.
I've just stumbled on a surprise, which I thought I'd put on record, and possibly propose a change to the distributed configuration sample. In the distributed Apache configuration, there's a stanza like this: <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> which denies web access to .htaccess and, possibly, other sensitive files (.htpasswd maybe). I was surprised, in one part of our server tree, to find that I *could*, in fact, view the contents of .htaccess, .htpasswd etc. Here's the explanation, as I now understand it. This was an area which is permitted access not only from users at local addresses, but also, by password, by users at remote addresses. So it has an .htaccess file containing this kind of stuff: order deny,allow deny from all allow from[list of addresses] AuthType basic [etc] satisfy any ^^^^^^^^^^^ This is overriding the protection that came from the main configuration for these files. The "satisfy any" is taking effect, and resulting in the .ht* files being accessible to anyone who can quote the remote access credentials for the area. This had *not* been our intention. What I've found is that if the main configuration is amended by adding "satisfy all", thus: <Files ~ "^\.ht"> Order allow,deny Deny from all satisfy all </Files> then by default it works as intended. *If* it had been intended to grant access to the .htaccess etc. files (which in our case it wasn't), then this can still be overridden by an explicit "satisfy any" in the .htaccess. This seems to me to be a safer default than what's currently distributed (our Apache version reports itself as "Server: Apache/2.0.46 (Red Hat)". This isn't yet a proper bug report, as I haven't tried the latest version of Apache; but I can't find any mention of this issue in the existing bug reports... Consequently, could I recommend considering adding "satisfy all" to the distributed main configuration, httpd.conf ? Thanks. |
|
10-01-2005
|
|||
|
|||
|
Re: Apache - Surprised by web access to .htaccess etc.
On Fri, 30 Sep 2005 12:35:08 +0100, "Alan J. Flavell" wrote:
>What I've found is that if the main configuration is amended by adding >"satisfy all", thus: > ><Files ~ "^\.ht"> > Order allow,deny > Deny from all > satisfy all ></Files> > >then by default it works as intended. I'm still using apache 1.3.33, and this is exactly how it is configured. I don't know why "satisfy all" was removed in v2. -- Marc |
|
10-01-2005
|
|||
|
|||
|
Re: Apache - Surprised by web access to .htaccess etc.
On Sat, 1 Oct 2005, Marc wrote:
> On Fri, 30 Sep 2005 12:35:08 +0100, "Alan J. Flavell" wrote: > > >What I've found is that if the main configuration is amended by adding > >"satisfy all", thus: > > > ><Files ~ "^\.ht"> > > Order allow,deny > > Deny from all > > satisfy all > ></Files> > > > >then by default it works as intended. > > I'm still using apache 1.3.33, and this is exactly how it is configured. Thanks. So it is! I even checked an old version 1.3.28 that I happened to have around here, and it's the same. > I don't know why "satisfy all" was removed in v2. Strange, isn't it? I've now downloaded the latest stable version (2.0.54) and it, too, is missing the "satisfy all" which we see in the 1.3.* versions. Unless someone from Apache cares to step in and comment on this, I'll try to take a moment later to call this in to Apache HQ as a buglet in version 2. best regards |
|
10-01-2005
|
|||
|
|||
|
Re: Apache - Surprised by web access to .htaccess etc.
Alan J. Flavell wrote:
> I've just stumbled on a surprise, which I thought I'd put on record, > and possibly propose a change to the distributed configuration sample. > > In the distributed Apache configuration, there's a stanza like this: > > <Files ~ "^\.ht"> > Order allow,deny > Deny from all > </Files> > > which denies web access to .htaccess and, possibly, other sensitive > files (.htpasswd maybe). A handler is an alternate way to protect these files without relying on permissions settings: AddHandler ignore .htaccess AddHandler ignore .htgroup AddHandler ignore .htpasswd Action ignore /script/error403 -- Klaus Johannes Rusch KlausRusch@atmedia.net http://www.atmedia.net/KlausRusch/ |
|
10-01-2005
|
|||
|
|||
|
Re: Apache - Surprised by web access to .htaccess etc.
Alan J. Flavell wrote:
> > Unless someone from Apache cares to step in and comment on this, I'll > try to take a moment later to call this in to Apache HQ as a buglet in > version 2. FWIW, configuration in 2.2 (the forthcoming stable release, to follow the current 2.1.x betas) is due to be muchly stripped down, with some *examples* for admins but no big *default* config. Any such changes in 2.0.x are unlikely now, but your point could be relevant to 2.1/2.2 if it's not adequately commented in the examples. -- Nick Kew |
|
10-01-2005
|
|||
|
|||
|
Re: Apache - Surprised by web access to .htaccess etc.
* Alan J. Flavell wrote:
> Unless someone from Apache cares to step in and comment on this, I'll > try to take a moment later to call this in to Apache HQ as a buglet in > version 2. It just wasn't ported forward ;-) The Satisfy All was added in 1.3.21, the fork to 2.0 happened before 1.3.10... nd -- die (eval q-qq:Just Another Perl Hacker :-) # André Malo, <http://pub.perlig.de/> # |
Linear Mode
