Be explicit when setting Apache host access controls

I recently discovered that I had made an incorrect assumption regarding the use of the host-based authorization directives in Apache: I thought that if, for example, a directory defined Order, Deny, and Allow directives, that the use of an Allow directive in a subdirectory was simply “additive”, i.e., extending the existing rules as if the rules from the parent directory were “inherited” and the extra Allow was added to the list of Allows from the parent.

This is most definitely NOT the case, at least in Apache 2.2, and the documentation does not address this specific issue.  Worse, I think it is reasonable to believe based on the mod_authz_host docs (the module which provides the OrderDeny, and Allow directives) and the “How Sections Are Merged” section of the Apache Configuration Sections doc that in fact the configuration would behave in the way I have expected.  (Of course, one should always test.)

Here’s the problem:

<Directory /abc>
    Order Deny,Allow
    Deny from all
    Allow from example1.com
</Directory>

<Directory /abc/def>
    Allow from example2.com
</Directory>

You might think that access to /abc/def is restricted to hosts from example1.com and example2.com domains, or perhaps just example2.com, but in fact, it’s open to the world!  In other words, the /abc/def block is not equivalent to:

<Directory /abc/def>
    Order Deny,Allow
    Deny from all
    Allow from example1.com
    Allow from example2.com
</Directory>

as I thought it would be, or even to:

<Directory /abc/def>
    Order Deny,Allow
    Deny from all
    Allow from example2.com
</Directory>

The result is the same even if the Order directive in /abc is set to Allow,Deny. It seems as though mod_authz_host resets all its directives whenever one is set in a “directory” context.  The reset state is to allow all by default because neither Allow nor Deny have default values, and the default value of Order is Deny,Allow.

Advertisements

,