97668 - .htaccess created by checksetup.pl is bad

Status: RESOLVED FIXED

(Bugzilla :: Documentation, defect, P1)

Description

[Kevin Brannen]

The default .htaccess created by checksetup.pl was incorrect.  There is a line
in it like:

<FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$>

That "^" should not be there.  A "diff -c" with the correction is:

*** checksetup.pl       Thu Aug 30 16:31:20 2001
--- checksetup.pl.orig  Thu Aug 30 16:31:03 2001
***************
*** 569,575 ****
      open HTACCESS, ">.htaccess";
      print HTACCESS <<'END';
  # don't allow people to retrieve non-cgi executable files or our private data
! <FilesMatch (.*\.pl|localconfig|processmail|syncshadowdb)$>
    deny from all
  </FilesMatch>
  END
--- 569,575 ----
      open HTACCESS, ">.htaccess";
      print HTACCESS <<'END';
  # don't allow people to retrieve non-cgi executable files or our private data
! <FilesMatch ^(.*\.pl|localconfig|processmail|syncshadowdb)$>
    deny from all
  </FilesMatch>
  END

Comment 1

[Kevin Brannen]

I might have hit COMMIT a bit too fast. :-/  My error.log says:

[Thu Aug 30 16:38:28 2001] [alert] [client 192.168.103.43]
/<PATH>/214/.htaccess: deny not allowed here

So the fix may be more than the diff output I posted.  I'll continue working on
it, but the "out of the box" .htaccess definitely did not work for me.

Comment 2

[Zach Lipton [:zach]]

I am pretty sure, though not sure enough to call this invalid, that your 
httpd.conf apache config doesn't allow you to override itself with .htaccess 
files. Try reading up on AllowOverride and insert one into the <directory> 
commands for the directory that bugzilla is installed inside. Restart 
apache. If this is still happening, we need to figure out what the matter is.

Did you get the same error with the out-of-the-box .htaccess?

Comment 3

[Kevin Brannen]

I'd swear I responded to this before I left on vacation, but I don't see the
comment, oh well...

As a previous comment stated, ``the "out of the box" .htaccess definitely did
not work for me.'' :-)

I think you've hit the nail by stating the problem is a configuration issue.  I
think the fix will boil down to a change in the documentation, IMO.  OK, trying
your suggestion...alright, I had "AllowOverride Authconfig" and changed that to
"AllowOverride All", reset the .htaccess to "out of the box" conditions (i.e. I
uncommented the lines), restart Apache, and started testing.  I find that I can
still use BZ, and also can not see localconfig or other sensitive files.  So I'd
say it's fixed.

I think Barnboy needs to add a few lines about this in the guide, maybe in
section 3.5.3.  Thanks for the help Zach!

Comment 4

[Zach Lipton [:zach]]

to barnboy for docs work

Comment 5

[Matthew Barnson]

Definitely taking this and running with it.

Comment 6

[Matthew Barnson]

Resolving fixed.  I have checked this change in to installation.sgml, and it
still compiles cleanly (though I have not checked in the compiled HTML):

      <para>
        The default .htaccess file may not provide adequate access
        restrictions, depending on your web server configuration.
        Be sure to check the &lt;Directory&gt; entries for your
        Bugzilla directory so that the <filename>.htaccess</filename>
        file is allowed to override web server defaults.  For instance,
        let's assume your installation of Bugzilla is installed to 
        <filename>/usr/local/bugzilla</filename>.  You should have
        this &lt;Directory&gt; entry in your <filename>httpd.conf</filename>
        file:
      </para>

      <para>
        <programlisting>
<![CDATA[
<Directory /usr/local/bugzilla/>
  Options +FollowSymLinks +Indexes +Includes +ExecCGI
  AllowOverride All
</Directory>
]]>
        </programlisting>
      </para>

      <para>
        The important part above is <quote>AllowOverride All</quote>.
        Without that, the <filename>.htaccess</filename> file created by 
        <filename>checksetup.pl</filename> will not have sufficient
        permissions to protect your Bugzilla installation.
      </para>