>Number: 2957 >Category: mod_auth-any >Synopsis: DirectoryMatch/Directory authorization conflicts. >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Fri Sep 4 19:50:00 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.X >Environment: Solaris 2.5.1 at most recent recommended patch suite. >Description: I ran into a situation today with Apache that I'm 99% sure is a bug. I'm not sure WHICH part of it is the bug though, since the documentation is a bit unclear.
Consider the following httpd.conf snippet: <DirectoryMatch ^/opt/web/.*/docroot> Options FollowSymLinks Includes AllowOverride None order allow,deny allow from all </DirectoryMatch> <Directory /opt/web/mpath/docroot/foundation/partners/docs> AuthType basic AuthName "Documentation" AuthUserFile /opt/web/mpath/private/developers.pw AuthGroupFile /opt/web/mpath/private/developers.group <Limit GET POST PUT> satisfy any order deny,allow deny from all</Limit> </Directory> Yes yes yes, I know "FollowSymLinks" won't work in a DirectoryMatch directive, I already logged that as a bug. :) But the problem I'm having is follows: In the situation above, the directory /opt/web/mpath/docroot/foundation/partners/docs (Henceforth referred to as 'docs') has no authentication required for it at all. Despite the allow from .mpath.com and require group developers, it does not in fact require either. The two fixes are to A) Fix the DirectoryMatch directive so it matches on ^/opt/web/.*/docroot$, or remove the 'satisfy any' directive. Here're what I think are either bugs, or confusing: 1) It should be specified in the documentation that the DirectoryMatch is not an absolute match, but a partial like grep or sed. This is the least of my concerns, as anyone with regexp experience would probably assume this anyway. 2) What I think is breaking here is this: Directory directives are matched prior to DirectoryMatch directives. Which means the DirectoryMatch section is superseding the Directory section in deciding what sort of authentication is required. But the removal of the 'satisfy any' directive should NOT then result in authentication being on the directory, instead the rules of precedence should be the same, and there should be no permissions on the directory. Instead what is occuring is removal of the satisfy any directive triggers the implicit satisfy all, and suddenly there IS permissions on directory. Whew. This took forever to track down. Brian >How-To-Repeat: Use entries in the httpd.conf file similar to the snippet above. >Fix: With GOOD CODERS! Which luckily the Apache group has in abundant supply. :) >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
