Bug 41911

Summary: SSLRequire does not restrict access to subdirectory under dav
Product: Apache httpd-2 Reporter: Seth Chaiklin <seth>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED INVALID    
Severity: normal CC: basant.kukreja
Priority: P2    
Version: 2.2.4   
Target Milestone: ---   
Hardware: Other   
OS: Linux   

Description Seth Chaiklin 2007-03-20 20:29:02 UTC
Directory /srv/www/html/dir>
 Order allow,deny
 Allow from all
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "DE"
     </IfModule>
</Directory>

Directory /srv/www/html/dir/subdir>
 Order allow,deny
 Allow from all
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "DK"
     </IfModule>
</Directory>

1.  Using webdavs to access /dir

2. Using a DE certificate, it is possible to get access to /dir
where dir/subdir is also shown.  Under webdavs, it is also possible
to get access to /dir/subdir  Is that "expected" behaviour?

3.  After getting access to /dir/subdir, where it is possible to see
the files in /dir/subdir, attempts to access 
subdirectories /dir/subdir/subsubdir are rejected (according to the
error message in the log file, because the "Requirement expression not 
fulfilled"  (as it should)

3.  If one attempts to access /dir/subdir directory (via URL, either via https: 
or webdavs:), then it is rejected with the "Requirement expression not 
fulfilled" (as it should)
Comment 1 Basant Kumar Kukreja 2007-03-26 13:28:36 UTC
As you written in your second point :
>2. Using a DE certificate, it is possible to get access to /dir
>where dir/subdir is also shown.  Under webdavs, it is also possible
>to get access to /dir/subdir  Is that "expected" behaviour?

I could not reproduce the issue. Here is my experimentation :

Here is my configuration :

<Directory "/disk/apache/apache2/htdocs/test">
 Order allow,deny
 Allow from all
    Options Indexes
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "US"
     </IfModule>
</Directory>

<Directory "/disk/apache/apache2/htdocs/test/subdir">
 Order allow,deny
 Allow from all
     Options Indexes
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "DE"
     </IfModule>
</Directory>


Using "US" based client certificate when I send the /test/ request then I
don't see the subdir in directory listing.

------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2007 20:09:53 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 256
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /test</title>
 </head>
 <body>
<h1>Index of /test</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="test.html"> test.html</a></li>
</ul>
</body></html>
------------------------------------------------------


If I try to access /test/subdir/ then I get permission
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/subdir/
HTTP/1.1 403 Forbidden
Date: Mon, 26 Mar 2007 20:10:55 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 214
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/subdir/
on this server.</p>
</body></html>
------------------------------------------------------



Now If I change the subdirectory configuration e.g

<Directory "/disk/apache/apache2/htdocs/test/subdir">
 Order allow,deny
 Allow from all
     Options Indexes
     <IfModule mod_ssl.c>
      DAV on
      SSLOptions +StrictRequire
      SSLVerifyClient require
      SSLVerifyDepth 10
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "US"
     </IfModule>
</Directory>

[/disk/apache/apache2] $ bin/apachectl restart 

Now if I send the request again then I see the "/subdir" as part of my
listing.
------------------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client1.pem:password --dump-header - -o - https://lbasantk3:4005/test/
HTTP/1.1 200 OK
Date: Mon, 26 Mar 2007 20:11:17 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 296
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /test</title>
 </head>
 <body>
<h1>Index of /test</h1>
<ul><li><a href="/"> Parent Directory</a></li>
<li><a href="subdir/"> subdir/</a></li>
<li><a href="test.html"> test.html</a></li>
</ul>
</body></html>
------------------------------------------------------

Also as expected, if I send the /test/subdir/ URI then I get the listing.

Kindly provide more information which could be helpful to reproduce the issue.
Also kindly provide information about which webdav tool you are using.
Comment 2 Seth Chaiklin 2007-03-26 16:50:26 UTC
Thank you for your detailed analysis.  

I am using Konqueror 3.5.6  (from KDE) as client, where it is possible
to use webdavs:// or https:// as a URL.

I was not able to reproduce the problem today. I suspect/believe the 
explanation is that the certificates were being cached by Konqueror.
I had suspected this problem, before submitting my report, and therefore
tried both to restart the server and open a "new" Konqueror.  However, I 
believe that I did not close ALL the open Konqueror clients, and that seems to
be the source of the problem I reported.  (I more or less repeated such an 
experiment today -- that is, I could reproduce the problem that I reported, but 
I now understand that the problem is with the client and not Apache).

While you have your test set up.  I would like to ask a related question.  In 
your first setup, if you (a) try to access /test/subdir  with (b)) a 'DE 
certificate), then (c) you will see that it is *impossible* because 

 [info] Access to /disk/apache/apache2/htdocs/test/subdir/ for 123.456.789.123
(requirement expression not fulfilled)
 [info] Failed expression: %{SSL_CLIENT_S_DN_C} eq "US"

That is, the SSLRequire from Directory cascades to test/subdir (as it is 
supposed to), but this makes it impossible then for a person with only a DE 
certificate to get access to the subdirectory.

I am able to reliably repeat that problem.

As best as I can tell, this cannot be overcome with a special Boolean 
combination to SSLRequire, and the way Apache is currently designed, there does 
not seem any possibility to override this behavior.  

Is there a good reason to maintain that behavior?  Maybe it should be an 
enhancement request to allow the possibility to turn off or override 
the "directory cascade" ?  
Comment 3 Basant Kumar Kukreja 2007-03-26 18:07:43 UTC
Yes, If I access the /test/subdir using "DE" client certificate, I get 403.

-------------------------------------------
[/disk/apache/apache2] $ curl --cacert ./certs/rootcert.pem  -E
certs/client2.pem:password --dump-header - -o -
https://lbasantk3.red.iplanet.com:4005/test/subdir/
HTTP/1.1 403 Forbidden
Date: Tue, 27 Mar 2007 00:39:18 GMT
Server: Apache/2.2.5-dev (Unix) mod_ssl/2.2.5-dev OpenSSL/0.9.8a DAV/2
Content-Length: 214
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/subdir/
on this server.</p>
</body></html>
-------------------------------------------

In error log, I see 
[Mon Mar 26 17:39:18 2007] [info] Failed expression: %{SSL_CLIENT_S_DN_C} eq "US"
[Mon Mar 26 17:39:18 2007] [error] [client 192.18.120.216] access to
/disk/apache/apache2/htdocs/test/subdir/ failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)

Probably regular expression can help you e.g.

<Directory ~ "/disk/apache/apache2/htdocs/test$">
...
      SSLRequire       %{SSL_CLIENT_S_DN_C} eq "US"
</Directory>


I believe you certainly can write a special module which can be used to check
the URI and make such requirements.


>Maybe it should be an 
>enhancement request to allow the possibility to turn off or override 
>the "directory cascade" ?
Turning off the "directory cascade" is not intuitive and may be considered a
big security hole. Unix OS provides a file system and doesn't provide any way
to set this to off (afaik).

Also I believe, you can achieve your target by redisigning the
files/directory and place various constraints e.g
/test : provide constraint like %{SSL_CLIENT_S_DN_C} eq "US" or eq "DE"
/test/files_US : if accessibly by client  %{SSL_CLIENT_S_DN_C} eq "US"
/test/files_DE : if accessibly by client  %{SSL_CLIENT_S_DN_C} eq "DE"

Should we close this bug as "Invalid"?
Comment 4 Joe Orton 2007-03-27 01:57:20 UTC
Yes, thanks a lot to for the detailed analysis on this.