[CentOS] Apache Directory Level access control

Tue Jan 21 16:11:48 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

CentOS-6.5
httpd-2.2.15 (centos)

I am trying to understand how directory access control works in Apache-2.2. 
Does a means exist to revoke access in a subdirectory if access has been
granted in a higher one?  We restrict access to the entire site via htdigest
but some directories are need to be further restricted by the group a user is
assigned to.  I have this situation:


  <Directory />
    AuthType Digest
    AuthName ca.harte-lyne
    AuthDigestDomain /
    AuthDigestProvider file
    AuthUserFile /etc/httpd/access.d/.htdigest
    AuthGroupFile /var/data/hll_dav/htgroup

    Require group staff

    AllowOverride None
    Order allow,deny
    allow from all
    Satisfy All

    Options Indexes MultiViews
    IndexOptions FancyIndexing
    AddDefaultCharset UTF-8
</Directory>

<Directory /Private>
    Require group management
</Directory>

In this setup a member of group staff who is not a member of group management
nonetheless can list and download files in /Private.  I want to prevent this. 
Is this possible and if so then how is this done?



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3