Bug 232980 - .htaccess permissions do not always cascade correctly
.htaccess permissions do not always cascade correctly
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: httpd (Show other bugs)
3.8
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-19 14:50 EDT by Travis Saling
Modified: 2008-04-09 14:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-22 08:26:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Travis Saling 2007-03-19 14:50:14 EDT
Description of problem:

Restrictions from a <Files> directive in an .htaccess file can override a
subdirectory's global .htaccess permission settings.

If, for example, we have the following .htaccess file in /foo:

<Files myfile*>
        AuthType Basic
        AuthName "This is directory /foo"
        require user jim jane
</Files>

Now, in a subdirectory /foo/bar, if we have the following .htaccess file:

AuthType Basic
AuthName "Now you are accessing /foo/bar"
require valid-user

It seems to me that every file /foo/bar/* should be accessible to anyone with an
account. But in practice, if a file exists with a name like
/foo/bar/myfile1.pdf, it will only be accessible to users "jim" and "jane" - so
the file /foo/.htaccess is taking precedence, incorrectly. This is also
demonstrated since the prompt shown in the authentication dialog box will be
"This is directory /foo" rather than "Now you are accessing /foo/bar" for those
files that match the directive in /foo/.htaccess.

Version-Release number of selected component (if applicable): Apache 2.0.46


How reproducible: Always


Steps to Reproduce:
1. Create .htaccess file, as shown above, in a directory "/foo"
2. Create another .htaccess file, as shown above, in the directory "/foo/bar"
3. Create a file myfile1.txt (or whatever) in /foo/bar
3. Try to access the file created in step 3 from an account other than the one's
specified in /foo/.htaccess
  
Actual results: /foo/.htaccess takes precedence over /foo/bar/.htaccess


Expected results: /foo/bar/.htaccess should take precedence, since it is closer
(in the same directory) to the files in question.


Additional info:
Comment 1 Joe Orton 2007-03-22 08:14:30 EDT
Directives within the <Files> section are applied later than those in the
.htaccess file, so this is generally expected behaviour.

http://httpd.apache.org/docs/2.0/sections.html#mergin

You may able to obtain the desired behaviour by adding a "Satisfy any" into the
<Files> section.
Comment 2 Joe Orton 2007-03-22 08:26:48 EDT
Sorry, no, Satisfy doesn't help here.

I can't see any simple way to achieve what you want here: if you only want the
file* match to apply within /foo (and not recursively) it could be moved to
httpd.conf and turned into a LocationMatch, for example.

But the configuration is being applied as expected per the above link.  Please
contact support if you require further assistance with the configuration issue.

Note You need to log in before you can comment on or make changes to this bug.