Forum Moderators: phranque
i have few virtual host, each virtual host have webmail. Php installed and open_basedir is set to their home (/var/www/x/yyy/)
webmail is installed in /var/www/x/yyy/home/webmail
i need turn off open_basedir for some directories (using php_admin_value open_basedir none), all files (except one directory) are symlinks and open_basedir block symlinks.
turn off open_basedir mode (this works):
<Directory ~ "^/var/www/.*/.*/home/webmail/(class¦config¦functions¦help¦include¦locale¦plugins¦src¦themes)">
php_admin_value open_basedir none
</Directory>disable access to non src directory(this not works):
<Directory ~ !^/var/www/.*/.*/home/webmail/src>
Order deny,allow
Deny from All
</Directory>this not works too:
<Directory ~ ^/var/www/.*/.*/home/webmail/[^(src)]>
Order deny,allow
Deny from All
</Directory>set some php values(that works):
<Directory ~ /var/www/.*/.*/home/webmail/(src¦plugins)>
php_value session.gc_maxlifetime 7200
php_value memory_limit 150M
php_flag magic_quotes_gpc Off
</Directory>and i need turn of open_basedir mode for /index.php (only in webmail) directory - this works but it enables all index.php files in subdirectories too:
<Directory ~ "/var/www/.*/.*/home/webmail/">
<Files ~ ^index\.php$>
php_admin_value open_basedir none
</Files>
</Directory>
structure of webmail directory (all files/directories are symlinks except data):
class
config
data
favicon.ico
functions
help
images
include
index.php
locale
plugins
src
themes
so generaly i have problem with directory negation and specifing exactly /index.php
thank you for your help
Lampa
disable access to non src directory (this not works):
Use a negative lookahead if you need to do so: ..../(?!src)
The other way would be disallow access to ..../home/webmail/
and below of that section allow access with another <directory ~....> section to ..../home/webmail/src
(overriding the prior setting for the subdir and below only).
and i need turn of open_basedir mode for /index.php (only in webmail) directory - this works but it enables all index.php files in subdirectories too:
...../home/webmail/[b]$[/b]
<Directory ~ "/var/www/.*/.*/home/webmail/">
<Directory ~ "/var/www/[^/]+/[^/]+/home/webmail/">
Jim
<Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/(class¦config¦functions¦help¦include¦locale¦plugins¦src¦themes)>
php_admin_value open_basedir none
</Directory><Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/(?!src)>
Order deny,allow
Deny from All
</Directory>
<Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/$>
<Files ~ index.php>
php_admin_value open_basedir none
Order deny,allow
Allow from all
</Files>
</Directory>
<Directory ~ /var/www/[^/]+/[^/]+/home/webmail/(src¦plugins)>
php_value session.gc_maxlifetime 7200
php_value memory_limit 150M
php_flag magic_quotes_gpc Off
</Directory>
but seems that <Directory ... ><Files index.php>... not working, other is working perfectly.
when going to /var/www/x/yyy/home/webmail/index.php - got Forbiden, which is caused 2nd <Directory>
thank you again, misters and masters
Jim
To address files found in a particular part of the filesystem, the <Files> and <Directory> sections can be combined. For example, the following configuration will deny access to /var/web/dir1/private.html, /var/web/dir1/subdir2/private.html, /var/web/dir1/subdir3/private.html, and any other instance of private.html found under the /var/web/dir1/ directory.
<Directory /var/web/dir1>
<Files private.html>
Order allow,deny
Deny from all
</Files>
</Directory>
but this match subfolders too /var/web/dir1/#*$!, /var/web/dir1/yyy and that is bad i need exactly enable file in one directory and ^/var/web/dir1$ not working
Look into nesting the specific case's directives within the general case's <Directory> container.
Jim
One thing that's very important when thinking about configuration directives is to understand module execution order and directive processing order. Although we loosely refer to configuration directives as "code," it's critical to understand that directives are not executed as a sequential program; Each Apache module executes directives that it understands, in the order determined by Apache. And even directives within the same module (or core) may not execute in the strict order that they appear in your config file.
What I was suggesting is this:
You are currently using a mutual-exclusion construct; You have two containers, both referring to the same <directory>, but one contains further filepath-specification refinements to make it more specific that the other. However, it appears that this construct is not working as you (or I) expect.
Therefore, it might be helpful to try to 'merge' the two <Directory> containers, so that the resulting single <Directory> container refers to the whole directory and sets access denied, and then embed a <Files> container to Allow access for only a few files. (I may have the file allow/deny backwards here, but the concept still holds.)
Jim
in apache doc:
Regular expressions are not considered until after all of the normal sections have been applied. Then all of the regular expressions are tested in the order they appeared in the configuration filei have only regular expressions, so i tried change rule orders but with no success
is there some way how to debug request and which rules are applied ?
That means that you've to override the values again to avoid that a request to ..../webmail/foo/index.php would be allowed, too.
<Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail>
<Files ~ index.php>
php_admin_value open_basedir none
Order deny,allow
Allow from all
</Files>
</Directory><Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/[^/]+/>
<Files ~ index.php>
Order allow,deny
Deny from all
</Files>
</Directory>
So your (merged) result could look like
<Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/(class¦config¦functions¦help¦include¦locale¦plugins¦src¦themes)>
php_admin_value open_basedir none
</Directory><Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail>
Order deny,allow
Deny from All
<Files ~ index.php>
php_admin_value open_basedir none
Order deny,allow
Allow from all
</Files>
</Directory><Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/[^/]+/>
<Files ~ index.php>
Order allow,deny
Deny from all
</Files>
</Directory><Directory ~ /var/www/[^/]+/[^/]+/home/webmail/(src¦plugins)>
php_value session.gc_maxlifetime 7200
php_value memory_limit 150M
php_flag magic_quotes_gpc Off
<Files *>
Order deny,allow
Allow from all
</Files>
</Directory>Are there files/folders which should not get "php_admin_value open_basedir none"? Otherwise you can merge the 1st container into the 2nd.
<Directory ~ /var/www/[^/]+/[^/]+/home/webmail>
Order deny,allow
Deny from All
<Files ~ ^(index.php¦favicon.ico¦)$>
Order deny,allow
Allow from All
</Files>
</Directory><Directory ~ ^/var/www/[^/]+/[^/]+/home/webmail/[^/]+/>
<Files ~ ^(index.php¦favicon.ico¦)$>
Order deny,allow
Deny from all
</Files>
</Directory><Directory ~ /var/www/[^/]+/[^/]+/home/webmail/src>
php_value session.gc_maxlifetime 7200
php_value memory_limit 150M
php_flag magic_quotes_gpc Off
<Files *>
Order deny,allow
Allow from All
</Files>
</Directory>1st - deny all files except index.php, favicon.ico, /
2nd - in subdirs disable previously enable files (index.php, favicon.ico, /)
3rd - allow all from src directory and set php values
but there is problem that in src directory forbidden to /src/index.php or /src/ or /src/favicon.ico
<Files ~ ^(index.php¦favicon.ic[b]o¦)[/b]$>
without last "¦" got forbidden to / but ok for /index.php
This may have something to do with your problem -- and as you can tell, I cannot figure out what your problem might be, so I'm just guessing here.
You might also want to look at content-negotiation (Options MultiViews) AcceptPathInfo, and mod_speling. If you are not using them then turn them off, as they all perform effective URL rewriting and can interfere with other modules.
Jim
Options nonewhich means that requested uri is / and basename(requested for files section) of / is ""
on all servers works same (compiled, from debian distro)
using following mods:
alias
auth_basic
authn_file
authz_host
cgi
dir
mime
mod-evasive
mod-security2
php5
setenvif
ssl
unique_id
vhost_alias
