Apache - Surprised by web access to .htaccess etc.




I've just stumbled on a surprise, which I thought I'd put on record,
and possibly propose a change to the distributed configuration sample.

In the distributed Apache configuration, there's a stanza like this:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

which denies web access to .htaccess and, possibly, other sensitive
files (.htpasswd maybe).

I was surprised, in one part of our server tree, to find that I
*could*, in fact, view the contents of .htaccess, .htpasswd etc.

Here's the explanation, as I now understand it.

This was an area which is permitted access not only from users at
local addresses, but also, by password, by users at remote addresses.
So it has an .htaccess file containing this kind of stuff:

order deny,allow
deny from all
allow from [list of addresses]

AuthType basic
[etc]

satisfy any
^^^^^^^^^^^

This is overriding the protection that came from the main
configuration for these files. The "satisfy any" is taking effect,
and resulting in the .ht* files being accessible to anyone who can
quote the remote access credentials for the area. This had *not* been
our intention.

What I've found is that if the main configuration is amended by adding
"satisfy all", thus:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
satisfy all
</Files>

then by default it works as intended.

*If* it had been intended to grant access to the .htaccess etc. files
(which in our case it wasn't), then this can still be overridden by an
explicit "satisfy any" in the .htaccess.

This seems to me to be a safer default than what's currently
distributed (our Apache version reports itself as
"Server: Apache/2.0.46 (Red Hat)".

This isn't yet a proper bug report, as I haven't tried the latest
version of Apache; but I can't find any mention of this issue in the
existing bug reports...

Consequently, could I recommend considering adding "satisfy all" to
the distributed main configuration, httpd.conf ?

Thanks.
.



Relevant Pages

  • Re: Apache - Surprised by web access to .htaccess etc.
    ... On Sat, 1 Oct 2005, Marc wrote: ... >>What I've found is that if the main configuration is amended by adding ... > I don't know why "satisfy all" was removed in v2. ... Unless someone from Apache cares to step in and comment on this, ...
    (comp.infosystems.www.servers.unix)
  • Re: Dumb Apache server moves?
    ... >> mistakes regarding configuration of Apache? ... Any thoughts from the Apache world? ... > - Letting untrusted users execute CGI scripts ... What sort of problems does .htaccess cause? ...
    (comp.os.linux.security)
  • Re: .htaccess problem with Apache 2.0.40
    ... > I'm sending this email because I've spent countless hours trying to ... > figure out why the .htaccess on my webserver doesn't do anything at ... You'll have better luck if you post your configuration to the list so ... people that are fluent in Apache are able to spot problems if they ...
    (RedHat)
  • RE: Apache issue
    ... The Apache documentation at ... > configuration file of the previous apache's version on a ... I'm bypassing all of them (.htaccess and ip list ... I've configured the access file as follow: ...
    (Focus-Linux)
  • Re: Reverting back to apache2 from lighttpd: have issues
    ... saying that localhost was not configured properly and I could not use ... the simple browser url "http://localhost to open the server. ... I have several different virtualhost entries in my Apache configuration. ...
    (Debian-User)