What does "Require all granted" on Directory / (root) REALY means? (Apache 2.4 on CentOS7
This is an issue I've ran into a few times & it stems from a change in terminology from Apache 2.2 to Apache 2.4 (detailed here). Access control options that were previously addressed with 'Order X, Allow or Deny from X', can now be managed with 'Require X'. The simplest use case example would be...
Apache 2.2:
Order allow,deny
Allow from all
..on the more recent Apache would equate to...
Apache 2.4:
Require all granted
So basically, Yes - you are correct to assume that this change extensively losens access privledges on your server (holding all else equal of course).
Related videos on Youtube
43 : 11
12 : 07
16 : 30
25 : 04
07 : 11
08 : 07
06 : 05
26 : 19
codeHot
Updated on September 18, 2022Comments
-
codeHot over 1 year
im sure, this question looks really stupid first. but i need a "second opinion" on this, even i did some research on my own but i am still unsure about this.
By default the Apache Configuration on CentOS7 and pretty much any Distro i know so far usually denies access recursively to the ROOT Filesystem (/) with a Directory Statement like this:
Default: /etc/httpd/conf/httpd.conf
<Directory /> AllowOverride none Require all denied </Directory>Usually Followed by some Directory Statements (Blocks) that "relaxes" Permissions to the parts of the filesystem that contain html or other web server content.
Now i have to deal with "some Web App" from "some Company" lately that is requesting/requiring the following Change to the apache config file:
Requested by Software Company: /etc/httpd/conf/httpd.conf
<Directory /> AllowOverride none Require all granted </Directory>This raised some red flag inside my mind and i tried to research this on the net. not yet found anything stating clearly what this configuration would effectively mean. But i would guess, this grants read access to pretty much any file on the whole Linux Server which can be read by usergroup "other" or the apache service account or service group. So if i am right, it would be a really really baaaaaad idea to ever do something like this on an internet webserver.
am i correct on this assumption? or am i missing something here?
thanks for any hint/tip/explaination on this!
best regards Axel
-
Admin almost 7 yearsHere is the link to the "require all" documentation from Apache's mod_authz_core: httpd.apache.org/docs/2.4/mod/mod_authz_core.html#reqall -
Admin almost 7 yearsJust to clarify, the directive does not refer to the file system root, but the root of the web space. As in the URL www.example.com/.
-
Admin almost 7 years@StephenOstermiller Perhaps I could have been clearer. It is a file system directive, however, it is from the defined web space that represents the web root as in the result of the URL and not from the top of the file system. It all depends on where you define your root such as /home/example.com/ or /var/httpd/HTML/. In other words, you cannot access /var/httpd/ because of the directive, but rather, because of the file system permissions. This directive assumes file level access for the directory defined for the web space. Clear as mud? Cheers!!
-
Admin almost 7 yearsI think I see why the poster was confused about this. Now I'm confused too.
-
Admin almost 7 years@StephenOstermiller Is my last comment clearer??
-
Admin almost 7 yearsExcept that doesn't seem to match the documentation.
-
Admin almost 7 years@StephenOstermiller Yes. You are right. My bad! I was going off of old memory. I guess I should put down the crack pipe. Later I will check my other sever. I know there is some truth to what I am saying under conditions that live on my other server. I am battling two dead servers. I had a failing main breaker and called the electric company to pull the meter instead of doing a hot swap which you should NOT do. Instead of checking with me that it is safe to pull the meter like they are supposed to do, the moron pulled it then ran away. They are supposed to stick around to to put the meter back!
-
Admin almost 7 yearsIn the meantime i found more Documentation on that Directory / configuration at httpd.apache.org/docs/current/en/mod/core.html#directory saying: Default access for <Directory "/"> is to permit all access. This means that Apache httpd will serve any file mapped from an URL. It is recommended that you change this with a block such as <Directory "/"> Require all denied </Directory> and then override this for directories you want accessible. The "Security Tips" Page then states: **"This would allow clients to walk through the entire filesystem. So i guess my assumption was correct.
-
Admin almost 7 years... that is given that the attacker/user somehow finds a way to "escape from DocumentRoot" by somehow walking the directory tree towards root or finds some way to "map" some url to a place outside of DocumentRoot (like rootfs /).
-