Inheritence of access control directives

Forum Moderators: phranque

Message Too Old, No Replies

Inheritence of access control directives

Apache configuration issues

Any1

2:50 pm on Apr 20, 2011 (gmt 0)

Hi all,

please have a look at the following configuration excerpt:


<Directory "C:/www">
Order Allow,Deny
Deny from All
</Directory>

<Directory "C:/www/site">
Allow from All
</Directory>

I initially thought that the directory "d:/www/site" would not be accessible since the second

Directory

directive inherits from the first one and the combination of

Deny

and

Allow

should result in a double match which in turn (due to the Order directive) should result in a

Deny

.

But I seem to be wrong (I tried it), but I don't understand why ....

Anybody out there to give me a hint?

Thanx in advance!

mbabuskov

4:24 pm on Apr 20, 2011 (gmt 0)

AFAICT, D: is not covered with any rule, so it is allowed.

Any1

7:43 pm on Apr 20, 2011 (gmt 0)

Thanks for your reply.
Sorry, my fault, I wanted to ask about directory "c:/www/site" of course (not drive D:) ...
Any idea?

mbabuskov

7:10 am on Apr 21, 2011 (gmt 0)

C:/www/site is allowed because you explicitly allowed it (override) in the second rule.

jdMorgan

6:54 pm on Apr 25, 2011 (gmt 0)

The directory paths given in the <Directory> containers should be relative to DocumentRoot, not to the filesystem root. Otherwise, this should work.

With "Allow,Deny", the Denys should override the Allows.

See the notes on path-length-based <Directory> processing at [httpd.apache.org...] to confirm your intent.

Jim

Any1

7:05 pm on Apr 26, 2011 (gmt 0)

Thanks Jim for your considerations.

I also thought it should work, but it doesn't (I tested it).
It seems that all subdirs inherit access control from its parent dirs, but as soon as you start to specify some Allow or Deny directives in a subdir, they are not merged to the directives of the parent dir, but they overwrite them starting from scratch!

So at the end (since

Order Deny,Allow

is the default), the second directive actually seems to be interpreted as

<Directory "C:/www/site">
Order Deny,Allow
Allow from All
</Directory>

I carefully read the Apache docs, but I did not find any hints about this special case...

Any1.