10

I stumbled upon a httpd.conf directive that I can't manage to understand:

<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
  Satisfy All
</Files>

According to the doc , I would say that Satisfy doesn't have any effect since there is no Allow. Am I wrong? What do you think this directive does?

Owen Blacker
  • 631
  • 1
  • 7
  • 20
user41565
  • 203
  • 1
  • 3
  • 6

3 Answers3

4

TLDR;
In most cases this line is not strictly necessary, as Satisfy All is usually the default server setting. If that's the case, the line is not strictly necessary.

The line is added as extra security, "Just In Case" the server was configured to use Satisfy Any setting as its default.
If the server was purposely set using the Satisfy Any setting, you definitely want to override that setting by including the Satisfy All directive to secure files such as .htaccess.

I am not sure if the htaccess file would override the server's default 'Satisfy` directive for all folders at or below some said htaccess file.

For generic code posted on the internet, especially when it's telling you how to properly secure .htaccess files, the poster is being responsible by not making any assumptions about your server settings that could undermine the document's security. Including that "extra" line ensures that the more secure setting is applied to your htacess files. Adding the directive makes the code block work 100% of the time, instead of leaving to chance having htaccess files exposed, for the small set of servers that are configured differently.

As per the apache documentation:

Satisfy Any|All:

Both host-based access restrictions and password-based authentication may be implemented simultaneously. In that case, the Satisfy directive is used to determine how the two sets of restrictions interact.

...used in <Directory>, <Files>, and <Location> sections as well as .htaccess

This directive is only useful if access to a particular area is being restricted by both username/password and client host address. In this case the default behavior (All) is to require that the client passes the address access restriction and enters a valid username and password. With the Any option the client will be granted access if they either pass the host restriction or enter a valid username and password.

Since the default value usually is Satisfy All (the only other option is Satisfy Any), you might not notice a difference when you include that directive. However, your server configuration file (or ?maybe an .htaccess file in a parent directory?? - I'm not sure if this is possible or not) might override the server default. Either way, adding the Satisfy All directive consistently ensures the proper security measure is applied.

By including the Satisfy All directive, you ensure the higher security setting for those files, independent of the setting in your server config.

The linked to doc mentions some use cases of when you might want to instead use Satisfy Any.

Community
  • 1
SherylHohman
  • 365
  • 1
  • 3
  • 15
1

Since I cannot comment, I'll add here that @SherylHohman's answer is the best answer because it is important for added security. So, it's not technically true to say that it has no effect without it (in contrast to the accepted answer) since you still have to account for the rest of the server configuration. I would, however, like to add to @SherylHohman's answer:

  1. The server configuration file (e.g. /etc/httpd/conf/httpd.conf) could have a more generalized Satisfy Any statement. For example, this is important since it's possible someone may require a username/password to access all sites on their server (such as via Require group [name) and then allow a bypass from a specific IP or set of IP's via Allow from [ip], so if this were left out, .htaccess would be opened up because a Satisfy Any would have had to be declared.

  2. The directories at or above a particular .htaccess file will not have an impact unless they a <Files> section that also specifically matches .htaccess that would then override this rule, along with the server config also containing the necessary AllowOverride directives (e.g. Limit or All). I say that it needs to be <File> because that is what's used in the server configuration and those are processed after <Directory> level (i.e. root-level .htaccess). This is because <File> sections are merged later and it appears to me that .htaccess is of course processed after the server config.

patricknelson
  • 111
  • 3
  • Thanks for filing in the gaps. I was unclear how/when that directive populated down. Thank you also for reinforcing that it should ALWAYS be added for files requiring highest security measures. – SherylHohman Mar 18 '20 at 17:21
  • You're welcome @SherylHohman since I decided to post this that day after learning the hard way! I decided it'd be important to learn precisely why this was an issue for me. – patricknelson Mar 19 '20 at 20:16
0

I would agree with you, the satisfy all is not doing anything- without it, these files would still be denied.

AliGibbs
  • 2,303
  • 20
  • 34
  • 2
    Yup -- Since there are no `Allow from` or `Require` conditions, `Satisfy` doesn't matter here (You can't satisfy a condition that doesn't exist, so access is denied). – voretaq7 Apr 27 '10 at 14:25