LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   SCGIMount on apache2 bypasses Order Allow,Deny (https://www.linuxquestions.org/questions/linux-security-4/scgimount-on-apache2-bypasses-order-allow-deny-914427/)

Vitus13 11-19-2011 03:55 PM
SCGIMount on apache2 bypasses Order Allow,Deny
 
I created a fresh VirtualHost to test this because at first I didn't believe what I was seeing.

Here's a fresh Apache config:
Code:

<VirtualHost *:81>
        ServerAdmin xxxx@xxx.xxx
        ServerName  www.xxxxx.xxx:81
        DocumentRoot /var/www
        LogLevel warn
        ErrorLog /var/log/apache2/altport-error.log
        CustomLog /var/log/apache2/altport-access.log combined
        <Directory />
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                Deny from all
        </Directory>
        <Directory /var/www>
                Order allow,deny
                Allow from all
        </Directory>
        <Directory /var/www/log>
                Order allow,deny
                Deny from all
        </Directory>
</VirtualHost>
Everything works as it should, no requests from xxxxx.xxx:81/log are served. Now, delete the log folder and add the following line to the config:
Code:
SCGIMount /log 127.0.0.1:5000
Now visiting /log gives a 500 Internal Server Error, which is a sign that the xmlrpc-c server sitting at 127.0.0.1:5000 is world accessible!

Does anyone know why mod_authz_host doesn't work on SCGI Mounts?

Vitus13 11-26-2011 12:39 PM
*bump*

If I'm doing this wrong, let me know.

Vitus13 12-07-2011 11:39 PM
19 days since posting
 
So it seems I've either stumped the internet at large or done something so completely dumb that it didn't even merit a "RTFM".

EDIT:
I shot an email over at the Apache Users Email List and I can't thank them enough for their help. A helpful reader shot back a reply indicating that since the SCGIMount is not a filesystem location it would not fall under the domain of <Directory> but rather <Location>.

Simply adjusting the following part of the config resulted in immediate success.
Code:
#Edit this:
<Directory /var/www/log>
    Order allow,deny
    Deny from all
</Directory>

#To be this:
<Location /log>
    Order allow,deny
    Deny from all
</Location>
Hopefully this helps someone in the future.


All times are GMT -5. The time now is 04:15 PM.