Hello Matthew, It looks as though you are applying restrictions based on the filesystem and then are including a directive which dissociates the URL from that filesystem, thus bypassing your restrictions.
Have you read this part of the documentation? http://httpd.apache.org/docs/2.2/sections.html#file-and-web Hopefully that will explain things, Pete On Thu, Dec 08, 2011 at 01:00:39AM -0500, Matthew Berry wrote: > What I am seeing is a situation where access to a directory has been > restricted using the following abbreviated config file, and everything > works just fine. Then, after adding this line: "SCGIMount /log > 127.0.0.1:5000", requests to /log are served even though they had > previously been blocked. I am assuming that this is some sort of bug > or oversight, or that I am completely misunderstanding how security > works in apache. I've previously posted this question over at > LinuxQuestions and have not yet received any offers after about 3 > weeks. The thread can be found here: > http://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/ > > <VirtualHost *:81> > ServerAdmin x...@xxx.xxx > ServerName www.xxxxx.xxx:81 > DocumentRoot /var/www > LogLevel warn > ErrorLog /var/log/apache2/altport-error.log > CustomLog /var/log/apache2/altport-access.log combined > <Directory /> > Options FollowSymLinks > AllowOverride None > Order allow,deny > Deny from all > </Directory> > <Directory /var/www> > Order allow,deny > Allow from all > </Directory> > <Directory /var/www/log> > Order allow,deny > Deny from all > </Directory> > </VirtualHost> -- Openstrike - improving business through open source http://www.openstrike.co.uk/ or call 01722 770036 or 07092 020107
signature.asc
Description: Digital signature
