Bug 11829 – Alias problem in Apache httpd.conf

Bug 11829 - Alias problem in Apache httpd.conf

Summary:	Alias problem in Apache httpd.conf

Status:	CLOSED WONTFIX

Aliases:	None

Product:	Red Hat Linux
Classification:	Retired
Component:	apache (Show other bugs)
Sub Component:
Version:	6.2
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Nalin Dahyabhai
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2000-06-01 14:15 EDT by Henri J. Schlereth
Modified:	2008-05-01 11:37 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2000-06-11 12:11:23 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Henri J. Schlereth 2000-06-01 14:15:11 EDT

Problem known to exist on: apache-1.3.13-2
(may affect earlier versions/unkown)
Description. Unable to access /usr/doc aliased out to /doc under
httpd.conf.

Temporary solution: re-activate access.conf and put aliases in there.

I have tested this on my own machine and found this to be a valid
bug. However file:/usr/doc is still functional.

This was first brought to my attention in the redhat-install-list
mailling list. Since I had an access.conf it didnt appear as a 
problem until I removed access.conf and used the entries in
httpd.conf and it failed.

Additional mention was seen on comp.infosystems.www.unix

Comment 1 SB 2000-06-11 12:11:23 EDT

Bleh no no!  If the alias to doc is enabled it allows remote users
to know the versions of packages you have installed on the system
and thus lessens your security by telling hackers the versions of
programs which could potentially be vulnerable to some sort of attack.
By default /usr/doc is only accessable from localhost which is not
denied access. For example, from your linux machine try:
lynx http://localhost/doc/ and you'll recieve the contents of your
/usr/doc directory.  Do this remotely and you are denied access.
Maybe you are pointing out a different problem, if so sorry for
wasting your time, just in case the permissions were unclear to you.

-Stan Bubrouski

Comment 2 Nalin Dahyabhai 2000-07-03 05:05:56 EDT

Stan is correct.  By default, the /doc alias can only be accessed from the
local host.  If you absolutely need to, and aren't concerned with any of the
security implications, change this section:

<Location /doc>
  order deny,allow
  deny from all
  allow from localhost
  Options Indexes FollowSymLinks
</Location>

to:

<Location /doc>
  order deny,allow
  allow from all
  Options Indexes FollowSymLinks
</Location>

Comment 3 Henri J. Schlereth 2000-07-03 09:49:12 EDT

1.) I think I will just leave it at
allow from 192.168.1.

2.) Since I use BindAddress 192.168.1.1 allow from all would not have been
an issue either.

3.) The other issue was resolved by talking to the people complaining and
finding out that they were mis-typing the URL. PBKAC.
The difference is when you add any ip restrictions and dont include localhost, 
one or the other would work but not both. I never noticed the problem because
I had entries for 192.168.1. in access.conf and localhost in httpd.conf. So
it really wasnt an issue for me.

Comment 4 Need Real Name 2000-07-26 12:10:04 EDT

I noticed the same behavior, but when I checked my access_log, it said I was
coming from localhost.localdomain, not just localhost. When I changed the
reference in httpd.conf to say localhost.localdomain it worked fine.

Note You need to log in before you can comment on or make changes to this bug.