Forum Moderators: phranque
I have 2 problems, all relating symlinks (and mod_autoindex). The first problem is with the system root directory ("/"). Although it's set to "deny from all", a symlink pointing to it still works. I can't figure out what's wrong.
The second problem is with authorization. Again, a symlink is pointing to a directory. This directory should have digest authorization enabled, but it doesn't ask for any credentials. It just opens it as if no authorization is required. The authorization itself works. I tested it by putting it in a Location section instead of Directory.
There's also a small problem when authorization works. When it works, the affected directory isn't listed in the index (mod_autoindex). I have to enter it manually in the address bar and then it's ok. But I want it to be listed in the directory index too. And when I click on it, I want apache to ask for a UN/PW...
Here is the current virtual server configuration:
<VirtualHost *:80>
ServerName domain
DocumentRoot /var/www-domain
Options +Indexes +FollowSymLinks
IndexOptions FoldersFirst FancyIndexing IgnoreCase SuppressColumnSorting SuppressDescription SuppressLastModified XHTML NameWidth=*
IndexIgnore *~
ServerSignature Off
<Files .*>
Order Allow,Deny
Deny From All
</Files>
<Directory />
AllowOverride None
Order Allow,Deny
Deny From All
</Directory>
<Directory /var/www-domain>
Order Deny,Allow
Allow From All
</Directory>
<Directory /sdb1>
Order Deny,Allow
Allow From All
AuthType Digest
AuthName "LocalDrives"
AuthUserFile /var/www-domain/.digest
Require valid-user
</Directory>
</VirtualHost>
A symlink does not cause that a per-directory configuration structure of the (followed) link target is created. There is no second dir_walk for the link target by design.
When it works, the affected directory isn't listed in the index (mod_autoindex). I have to enter it manually in the address bar and then it's ok. But I want it to be listed in the directory index too. And when I click on it, I want apache to ask for a UN/PW...
IndexOptions ShowForbidden
1) If so, then what's the purpose of the suggested block?
<Directory />
AllowOverride None
Order Allow,Deny
Deny From All
</Directory>2) Is there another way (a general way) to block/control certain directory structures other than this:
<Location /symlink>
# code for denying access
# or for user authentication
</Location>And finally, thanks for the ShowForbidden tip. But why isn't it listed in Apache documentation? Are there some other options that aren't listed as well?
[httpd.apache.org...]
And finally, thanks for the ShowForbidden tip. But why isn't it listed in Apache documentation? Are there some other options that aren't listed as well?
[httpd.apache.org...]Ok, I've found the answer to this. I was looking at the older 2.0 documentation instead of 2.2...
1) If so, then what's the purpose of the suggested block?
The concept is to deny all access and allow it specifically. But you allowed access for /var/www-domain where you put the symlink and you allowed to follow symlinks. That does not trigger <Directory /> again. You pulled the contents from the link target into the folder where you placed the symlink.
2) Is there another way (a general way) to block/control certain directory structures other than this:
Because this isn't good if someone renames the symlink or inserts another. I want a general restriction (control), regardless the symlink name...
The concept is to deny all access and allow it specifically.
Ok, but is it a security issue? Is my site more vulnerable if I don't deny access to the root directory? Can someone do some damage if it's missing which he couldn't do if it was there?
You could check with mod_rewrite via a -l condition if a physical path resolves to a symlink. This causes a stat call. If the condition is true, you could deny all access via the R=403 (or F, which is a macro for R=403) flag.
Thanks for the idea. But if I got it right, this is only for denying access. I can't ask for authorization this way. Or did I miss something?
Another approach would be to use Aliases (see mod_alias) instead of symlinks. You won't face such an issue with an alias.
Yes, this is quite nice. There's just one problem with this approach. If I want to add another "symlink" (alias in this case), I have to modify the server configuration and reload it. With symlinks I just add a new one in a virtual server directory. But thanks for the idea. This is definitely an idea to consider.
Ok, but is it a security issue? Is my site more vulnerable if I don't deny access to the root directory?
It denies access to your entire filesystem, not just the root directory. If someone could gain access outside of your document root due to accidentally placed aliases or RewriteRules in your httpd.conf outside of <directory > sections depends upon your configuration. Usually, a second component should prevent apache from serving "unintended" files: folder/file permissions.
But if I got it right, this is only for denying access
