Welcome to WebmasterWorld Guest from 54.196.144.100

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Inheritence of access control directives

Apache configuration issues

     

Any1

2:50 pm on Apr 20, 2011 (gmt 0)



Hi all,

please have a look at the following configuration excerpt:


<Directory "C:/www">
Order Allow,Deny
Deny from All
</Directory>

<Directory "C:/www/site">
Allow from All
</Directory>


I initially thought that the directory "d:/www/site" would not be accessible since the second
Directory 
directive inherits from the first one and the combination of
Deny 
and
Allow 
should result in a double match which in turn (due to the Order directive) should result in a
Deny
.

But I seem to be wrong (I tried it), but I don't understand why ....

Anybody out there to give me a hint?

Thanx in advance!

mbabuskov

4:24 pm on Apr 20, 2011 (gmt 0)



AFAICT, D: is not covered with any rule, so it is allowed.

Any1

7:43 pm on Apr 20, 2011 (gmt 0)



Thanks for your reply.
Sorry, my fault, I wanted to ask about directory "c:/www/site" of course (not drive D:) ...
Any idea?

mbabuskov

7:10 am on Apr 21, 2011 (gmt 0)



C:/www/site is allowed because you explicitly allowed it (override) in the second rule.

jdMorgan

6:54 pm on Apr 25, 2011 (gmt 0)

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member



The directory paths given in the <Directory> containers should be relative to DocumentRoot, not to the filesystem root. Otherwise, this should work.

With "Allow,Deny", the Denys should override the Allows.

See the notes on path-length-based <Directory> processing at [httpd.apache.org...] to confirm your intent.

Jim

Any1

7:05 pm on Apr 26, 2011 (gmt 0)



Thanks Jim for your considerations.

I also thought it should work, but it doesn't (I tested it).
It seems that all subdirs inherit access control from its parent dirs, but as soon as you start to specify some Allow or Deny directives in a subdir, they are not merged to the directives of the parent dir, but they overwrite them starting from scratch!

So at the end (since
Order Deny,Allow
is the default), the second directive actually seems to be interpreted as

<Directory "C:/www/site">
Order Deny,Allow
Allow from All
</Directory>


I carefully read the Apache docs, but I did not find any hints about this special case...

Any1.