Apache - Surprised by web access to .htaccess etc.




I've just stumbled on a surprise, which I thought I'd put on record,
and possibly propose a change to the distributed configuration sample.

In the distributed Apache configuration, there's a stanza like this:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

which denies web access to .htaccess and, possibly, other sensitive
files (.htpasswd maybe).

I was surprised, in one part of our server tree, to find that I
*could*, in fact, view the contents of .htaccess, .htpasswd etc.

Here's the explanation, as I now understand it.

This was an area which is permitted access not only from users at
local addresses, but also, by password, by users at remote addresses.
So it has an .htaccess file containing this kind of stuff:

order deny,allow
deny from all
allow from [list of addresses]

AuthType basic
[etc]

satisfy any
^^^^^^^^^^^

This is overriding the protection that came from the main
configuration for these files. The "satisfy any" is taking effect,
and resulting in the .ht* files being accessible to anyone who can
quote the remote access credentials for the area. This had *not* been
our intention.

What I've found is that if the main configuration is amended by adding
"satisfy all", thus:

<Files ~ "^\.ht">
Order allow,deny
Deny from all
satisfy all
</Files>

then by default it works as intended.

*If* it had been intended to grant access to the .htaccess etc. files
(which in our case it wasn't), then this can still be overridden by an
explicit "satisfy any" in the .htaccess.

This seems to me to be a safer default than what's currently
distributed (our Apache version reports itself as
"Server: Apache/2.0.46 (Red Hat)".

This isn't yet a proper bug report, as I haven't tried the latest
version of Apache; but I can't find any mention of this issue in the
existing bug reports...

Consequently, could I recommend considering adding "satisfy all" to
the distributed main configuration, httpd.conf ?

Thanks.
.