>Number: 553
>Category: general
>Synopsis: access to a dir which is not r-x by all (only user/group) is
>not permited
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Tue May 6 15:30:01 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.2b10
>Environment:
Linux 2.0.30 i486
gcc 2.7.2
libc.so.5.2.18
>Description:
I have a directory with the following permissions set:
drwxr-x--- 4 wwwadm www 1024 May 6 22:59 mirror/
The server runs as
User nobody
Group www
-> I verified it by a CGI-script which runs id: uid=99(nobody) gid=60(www)
I do not use suEXEC of CGIs -> so I believe that the uid/gid should be the
same as if I try a GET within the dir. BTW: the server is standalone
Port 80 and startet as root
if I try to GET a document within the mirror directory (see above) the request
fails with the following Error:
Forbidden
You don't have permission to access /mirror/ on this server.
I should mention, that the mirror dir is within the following Virtual Server
configuration:
<VirtualHost www.server.com>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/httpd/html/www.server.com
ServerName www.server.com
ErrorLog logs/www.server.com-error_log
TransferLog logs/www.server.com-access_log
UserDir /home/httpd/html/www.server.com/user
<Directory /home/httpd/cgi-bin>
AllowOverride None
Options None
AddType application/x-httpd-cgi sh
</Directory>
</VirtualHost>
So the absolut path to the mirror dir is /home/httpd/html/www.server.com/mirror
If i change the permissions of the mirror directory to 755 (drwxr-xr-x)
it works.
If you ask yourself why I need (rwxr-x---) for this directory, here is the
answer -> I want to hide certain parts of the "www-space" from local users
since this part is password protected by .htaccess (this works ->
with rwxr-xr-x)
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
