|Inheritence of access control directives|
Apache configuration issues
| 2:50 pm on Apr 20, 2011 (gmt 0)|
please have a look at the following configuration excerpt:
Deny from All
Allow from All
I initially thought that the directory "d:/www/site" would not be accessible since the second
Directory directive inherits from the first one and the combination of
Allow should result in a double match which in turn (due to the Order directive) should result in a
But I seem to be wrong (I tried it), but I don't understand why ....
Anybody out there to give me a hint?
Thanx in advance!
| 4:24 pm on Apr 20, 2011 (gmt 0)|
AFAICT, D: is not covered with any rule, so it is allowed.
| 7:43 pm on Apr 20, 2011 (gmt 0)|
Thanks for your reply.
Sorry, my fault, I wanted to ask about directory "c:/www/site" of course (not drive D:) ...
| 7:10 am on Apr 21, 2011 (gmt 0)|
C:/www/site is allowed because you explicitly allowed it (override) in the second rule.
| 6:54 pm on Apr 25, 2011 (gmt 0)|
The directory paths given in the <Directory> containers should be relative to DocumentRoot, not to the filesystem root. Otherwise, this should work.
With "Allow,Deny", the Denys should override the Allows.
See the notes on path-length-based <Directory> processing at [httpd.apache.org...] to confirm your intent.
| 7:05 pm on Apr 26, 2011 (gmt 0)|
Thanks Jim for your considerations.
I also thought it should work, but it doesn't (I tested it).
It seems that all subdirs inherit access control from its parent dirs, but as soon as you start to specify some Allow or Deny directives in a subdir, they are not merged to the directives of the parent dir, but they overwrite them starting from scratch!
So at the end (since
Order Deny,Allow is the default), the second directive actually seems to be interpreted as
Allow from All
I carefully read the Apache docs, but I did not find any hints about this special case...