Add Apache 2.4 access control Require directives

[peternowee]

Apache 2.4 moved access control to the mod_authz_host module, replacing the Apache 2.2 Order, Allow and Deny directives with the Require directive. Although it is possible to keep using the old directives by enabling the module mod_access_compat, not everybody will have that enabled.

This patch changes all .htaccess files to detect the Apache version and set the appropriate directives.

• http://httpd.apache.org/docs/2.4/upgrading.html#run-time
• http://stackoverflow.com/a/15081790
• http://mail-archives.apache.org/mod_mbox/httpd-users/201311.mbox/%3CCAKUrXK43bUwiUopToMUMMLOvQrCa9U8m5+t=8mi1uZF2TxT_gg@mail.gmail.com%3E

0001-Add-Apache-2.4-access-control-Require-directives.patch

(3.96 KiB) Downloaded 155 times

My GitLab account name: peternowee

[fox]

tbh i'm not sure if those files should be there in the first place

for example i've ditched apache years ago and they do nothing for me

the fact that they decided to ditch backwards compatibility in their overbloated slow-ass http daemon is kind of a last straw in a way

e: to elaborate, .htaccess is shit way to ensure any kind of security because its specific to one server, may fail silently even on apache, and is a no-op on any other httpd i'm aware of. luckily, the way tt-rss generates temporary and cache files, makes it somewhat hard to download anything meaningful anyway, so its mostly a moot point.

so the two ways of fixing this properly would be either checking accessibility of some files in cache directories over httpd in preferences and nagging people to fix their shit (i.e. how owncloud does it) or just canning the .htaccess anyway because in the end it's a crutch which only provides false sense of security for people who don't know any better.

[peternowee]

Those are more general decisions that could have been made earlier, but were not. As long as the .htaccess are there, would my patch not be an improvement?

[fox]

this is software development, not religious dogma

if something was added doesn't mean its going to be here forever just because of it

since you brought this up, now might be the time to rethink those files presence in trunk instead of mindlessly updating them to w/e syntax apache decides on every time

[peternowee]

First some corrections:

• I did not update these files "mindlessly" or out of "religious dogma". You may have ditched Apache, but I have not and as a user of your software I actually appreciate the bundled .htaccess files, and consider them an extra safety net.
• You mentioned ownCloud. If I'm not mistaking they also still bundle .htaccess files in addition to the warning message you mentioned.
• I do not feel that the Apache syntax changes that often. And they did take care of backwards compatibility by supplying the module mod_access_compat.

That said, regarding your wish for a more comprehensive solution, I completely understand it. Another argument to move away from .htaccess files is that the default setting for AllowOverride has changed in Apache 2.4 from All to None, meaning that .htaccess files are by default ignored now. Also, I understand it is difficult for you to test my patch when you're not using Apache.

So, do as you see fit. Thanks for your great software.

[JustAMacUser]

I think Apache's best days are behind it; Nginx is a solid, out-of-the-box fast solution. It's also much easier to configure.

That being said, .htaccess files don't take up a lot of space and they do tell everyone what parts of the install should be blocked (even if TT-RSS doesn't have any huge concerns in that area).

If you're going to remove them, I'd recommend updating the readme file to include recommendations for which directories to restrict access. (After all, it never hurts to limit access if it's not publicly needed, and it follows the least privileges philosophy.)

[fox]

adding to README (and wiki installation guide) sounds like a good idea, also i'm not sure why are you taking stuff personally, op. chill.

[fox]

https://tt-rss.org/gitlab/fox/tt-rss/wi ... irectories

as of aa4ab8e .htaccess files are no longer in trunk.

[peternowee]

That Wiki page now covers only the cache directory. How about the other files and directories that were covered by .htaccess files (config.php, classes, locale, lock, schema, templates, utils)?

[fox]

arguably only config.php needs any special treatment (and only in one specific case where your server is malfunctioning so hard it just allows everyone to download .php files as plain text)

i looked over everything else and in my opinion forbidding access to anything else is not necessary, .htaccess files there were not really needed in the first place

e: updated the wiki page

[peternowee]

Ok, thanks.

[peternowee]

Btw, Apache recommends to never use <Location> when trying to restrict access to objects in the filesystem, but use Directory and Files directives instead.

For example:

Code: Select all

<Directory /var/www/html/tt-rss>
    <Files "config.php">
        Require all denied
    </Files>
</Directory>

<Directory /var/www/html/tt-rss/cache>
    Require all denied
</Directory>


[fox]

fair enough, i can update the wiki to use that syntax