Red Hat Bugzilla – Bug 232980
.htaccess permissions do not always cascade correctly
Last modified: 2008-04-09 14:29:25 EDT
Description of problem:
Restrictions from a <Files> directive in an .htaccess file can override a
subdirectory's global .htaccess permission settings.
If, for example, we have the following .htaccess file in /foo:
AuthName "This is directory /foo"
require user jim jane
Now, in a subdirectory /foo/bar, if we have the following .htaccess file:
AuthName "Now you are accessing /foo/bar"
It seems to me that every file /foo/bar/* should be accessible to anyone with an
account. But in practice, if a file exists with a name like
/foo/bar/myfile1.pdf, it will only be accessible to users "jim" and "jane" - so
the file /foo/.htaccess is taking precedence, incorrectly. This is also
demonstrated since the prompt shown in the authentication dialog box will be
"This is directory /foo" rather than "Now you are accessing /foo/bar" for those
files that match the directive in /foo/.htaccess.
Version-Release number of selected component (if applicable): Apache 2.0.46
How reproducible: Always
Steps to Reproduce:
1. Create .htaccess file, as shown above, in a directory "/foo"
2. Create another .htaccess file, as shown above, in the directory "/foo/bar"
3. Create a file myfile1.txt (or whatever) in /foo/bar
3. Try to access the file created in step 3 from an account other than the one's
specified in /foo/.htaccess
Actual results: /foo/.htaccess takes precedence over /foo/bar/.htaccess
Expected results: /foo/bar/.htaccess should take precedence, since it is closer
(in the same directory) to the files in question.
Directives within the <Files> section are applied later than those in the
.htaccess file, so this is generally expected behaviour.
You may able to obtain the desired behaviour by adding a "Satisfy any" into the
Sorry, no, Satisfy doesn't help here.
I can't see any simple way to achieve what you want here: if you only want the
file* match to apply within /foo (and not recursively) it could be moved to
httpd.conf and turned into a LocationMatch, for example.
But the configuration is being applied as expected per the above link. Please
contact support if you require further assistance with the configuration issue.