6

I've inherited a poorly designed web app, which has a certain file that needs to be publicly accessible, but that file is inside a directory which should not.

In other words, I need a way to block all files and sub-directories within a directory, but over-ride it for a single file.

I'm trying this:

# No one needs to access this directly
<Directory /var/www/DangerousDirectory/>
   Order Deny,allow
   Deny from all

   # But this file is OK:
   <Files /var/www/DangerousDirectory/SafeFile.html>
      Allow from all
   </Files>
</Directory>

But it's not working- it just blocks everything including the file I want to allow. Any suggestions?

Nick
  • 4,433
  • 29
  • 67
  • 95

4 Answers4

5
# No one needs to access this directly
<Directory /var/www/DangerousDirectory/>
   Order Deny,allow
   Deny from all
</Directory>
# But this file is OK:
<Files /var/www/DangerousDirectory/SafeFile.html>
   Order Deny,Allow
   Allow from all
</Files>

And if this directory is password-protected, add Satisfy any too.

Lekensteyn
  • 6,111
  • 6
  • 37
  • 55
  • I still seem to be getting a 403 message on the file? – Nick Aug 26 '10 at 10:06
  • Oops, wrong `Order` order. See http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order – Lekensteyn Aug 26 '10 at 10:31
  • Still not having much luck with this. :/ – Nick Aug 26 '10 at 17:46
  • Do you have a .htaccess file in `/var/www/DangerousDirectory/` with something like `Deny from all`? – Lekensteyn Aug 26 '10 at 17:53
  • There's an .htaccess but everything has been commented out. – Nick Aug 27 '10 at 06:08
  • Are there other configuration files which affect that file? Or is there a directive denying access? Take a look in the [Apache HTTPd documentation about processing order of Directory, Files and Location directives](http://httpd.apache.org/docs/2.2/sections.html#mergin) – Lekensteyn Aug 27 '10 at 09:15
  • Is there a debug permissions option that shows all directives affecting a particular file? – Nick Aug 27 '10 at 15:35
  • You could try [`LogLevel debug`](http://httpd.apache.org/docs/current/mod/core.html#loglevel) – Lekensteyn Aug 27 '10 at 15:51
3

There is an answer on StackOverflow that should answer this question, I think there is a missing Order in the nested Files directive?

https://stackoverflow.com/questions/6243677/apache-how-to-deny-directory-but-allow-one-file-in-that-dirctory

Community
  • 1
Kyle
  • 494
  • 1
  • 5
  • 13
  • Thanks for pointing that out. That answer didn't exist when I asked this question. :) – Nick Apr 06 '12 at 15:27
0

A very late answer, but still perhaps an answer.

The tag is in the scope of the directory and should not have the full path. So it should read:

<Directory "/var/www/DangerousDirectory">
   Order Deny,allow
   Deny from all

   # But this file is OK:
   <Files "SafeFile.html">
      Allow from all
   </Files>
</Directory>

Be aware that this would allow any file called SafeFile.html in that directory-tree.

Andre
  • 1
0

To allow a specific file when access is restricted by HTTP password. Be careful, password protection is defined on filesystem basis and specific allowed files are defined by URI. Updated for Apache 2.4.

<Directory /path/to/directory/>
    AuthName SecureArea
    AuthType Basic
    AuthUserFile /path/to/passwd-file
    Require user my-user

    SetEnvIf Request_URI "path/to/uri-allowed-1.php" allowedURL
    SetEnvIf Request_URI "path/to/uri-allowed-2.php" allowedURL
    Require env allowedURL
</Directory>
David
  • 101
  • 1