>Number: 4054 >Category: mod_access >Synopsis: Allow directive does not correctly override eariler Deny >directive >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sun Mar 14 02:40:01 PST 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.4 >Environment: Red Hat 5.2 on Pentium II
[EMAIL PROTECTED] logs]# uname -a Linux pele.golaso.com 2.0.36 #1 Tue Oct 13 22:17:11 EDT 1998 i686 unknown [EMAIL PROTECTED] logs]# gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.7.2.3/specs gcc version 2.7.2.3 >Description: The following (contained within VirtualHost) should deny access to the docroot for everyone except 128.66.12.2: <Directory /> Options None AllowOverride None Order allow,deny Deny from all </Directory> <Directory "/SomeFilesystem/SomeDocroot"> Options FollowSymLinks IncludesNoExec AllowOverride None Order allow,deny Deny from all Allow from 128.66.12.2 </Directory> Unfortunately, it just denies access to everyone, including 128.66.12.2. The workaround is to remove the "Deny from all" from the second Directory directive: <Directory /> Options None AllowOverride None Order allow,deny Deny from all </Directory> <Directory "/SomeFilesystem/SomeDocroot"> Options FollowSymLinks IncludesNoExec AllowOverride None Order allow,deny #Deny from all Allow from 128.66.12.2 </Directory> In which case, the desired behavior is achieved. The end result is the same, but the ambiguity caused me about an hour of frustration. Additionally, the mod_access docs seem to support the idea the the first example above should work. >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
