Control: tag -1 patch pending Dear maintainer,
I've prepared an NMU for libapache2-mod-authz-unixgroup (versioned as 1.1.0-0.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. (I notice this package has been orphaned, but that the intended adopter hasn't actually taken it over yet, so I guess it's fine ...) The packaging part of this diff is quite simple, and is as follows: diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/changelog libapache2-mod-authz-unixgroup-1.1.0/debian/changelog --- libapache2-mod-authz-unixgroup-1.0.2/debian/changelog 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/changelog 2013-07-11 11:56:00.000000000 +0100 @@ -1,3 +1,12 @@ +libapache2-mod-authz-unixgroup (1.1.0-0.1) unstable; urgency=low + + * Non-maintainer upload. + * New upstream release, suitable for Apache 2.4 (closes: #666849). + * Port packaging to Apache 2.4. + * Update debian/watch. + + -- Colin Watson <cjwat...@debian.org> Thu, 11 Jul 2013 11:52:29 +0100 + libapache2-mod-authz-unixgroup (1.0.2-1) unstable; urgency=low * Apache .load file now gets installed diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/control libapache2-mod-authz-unixgroup-1.1.0/debian/control --- libapache2-mod-authz-unixgroup-1.0.2/debian/control 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/control 2013-07-11 11:56:00.000000000 +0100 @@ -2,13 +2,13 @@ Section: web Priority: optional Maintainer: Hai Zaar <haiz...@haizaar.com> -Build-Depends: debhelper (>= 7), apache2-threaded-dev (>= 2.2.0) +Build-Depends: debhelper (>= 7), dh-apache2, apache2-dev (>= 2.2.0) Standards-Version: 3.8.2 Homepage: http://www.unixpapa.com/mod_authz_unixgroup Package: libapache2-mod-authz-unixgroup Architecture: any -Depends: ${shlibs:Depends}, apache2.2-common +Depends: ${shlibs:Depends}, ${misc:Depends} Description: access control based on on unix group membership for Apache Mod_Authz_Unixgroup is a unix group access control module for Apache 2.1 and later. If you are having users authenticate with real Unix login ID over the @@ -16,4 +16,4 @@ you want to do access control based on unix group membership, then mod_authz_unixgroup is exactly what you need. . - This Package includes the mod-authn-unixgroup Module for Apache Version 2.2 + This Package includes the mod-authn-unixgroup Module for Apache Version 2.4 diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2 libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2 --- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2 2013-07-11 11:56:00.000000000 +0100 @@ -0,0 +1,2 @@ +mod .libs/mod_authz_unixgroup.so +mod debian/authz_unixgroup.load diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs --- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs 1970-01-01 01:00:00.000000000 +0100 @@ -1,2 +0,0 @@ -usr/lib/apache2/modules -etc/apache2/mods-available diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install --- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -.libs/mod_authz_unixgroup.so usr/lib/apache2/modules -debian/authz_unixgroup.load etc/apache2/mods-available - diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/rules libapache2-mod-authz-unixgroup-1.1.0/debian/rules --- libapache2-mod-authz-unixgroup-1.0.2/debian/rules 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/rules 2013-07-11 11:56:00.000000000 +0100 @@ -47,6 +47,7 @@ dh_installdocs dh_installexamples dh_install + dh_apache2 dh_link dh_strip dh_compress diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/watch libapache2-mod-authz-unixgroup-1.1.0/debian/watch --- libapache2-mod-authz-unixgroup-1.0.2/debian/watch 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/watch 2013-07-11 11:56:00.000000000 +0100 @@ -9,7 +9,7 @@ # Uncomment to examine a Webpage # <Webpage URL> <string match> #http://www.example.com/downloads.php #PACKAGE#-(.*)\.tar\.gz -http://code.google.com/p/mod-auth-external/downloads/list http://mod-auth-external.googlecode.com/files/mod_authz_unixgroup-(.*)\.tar\.gz +http://code.google.com/p/mod-auth-external/downloads/list?can=1 .*/mod_authz_unixgroup-(\d[\d.]*)\.tar\.gz # Uncomment to examine a Webserver directory #http://www.example.com/pub/#PACKAGE#-(.*)\.tar\.gz Thanks, -- Colin Watson [cjwat...@debian.org]
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/CHANGES libapache2-mod-authz-unixgroup-1.1.0/CHANGES --- libapache2-mod-authz-unixgroup-1.0.2/CHANGES 2009-05-21 20:49:38.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/CHANGES 2011-10-06 20:13:04.000000000 +0100 @@ -1,3 +1,19 @@ +v1.1.0 (Jan Wolter - Oct 6, 2011) +----------------------------------- + * Revised to work as an access control provider in Apache 2.4. + * Eliminated "AuthzUnixgroup on" directive because it is no longer needed. + * Eliminated "AuthnzUnixgroupError 403" directive because it is supplanted + by "AuthzSendForbiddenOnFailure On". + * Eliminated "AuthzUnixgroupAuthoritative off" directive because the whole + concept of authoritativeness is dead for access control providers in + Apache 2.4. + +v1.0.3 (Jan Wolter - Oct 6, 2011) +------------------------------------ + * Allow group names to be quoted, so that you can have group names with + spaces in them. This change was suggested by David Homborg. + * Document updated with references to versions for Apache 2.4. + v1.0.2 (Jan Wolter - May 21, 2009) ------------------------------------ * Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE diff -Nru libapache2-mod-authz-unixgroup-1.0.2/INSTALL libapache2-mod-authz-unixgroup-1.1.0/INSTALL --- libapache2-mod-authz-unixgroup-1.0.2/INSTALL 2009-05-21 20:49:38.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/INSTALL 2011-10-06 20:13:04.000000000 +0100 @@ -2,6 +2,12 @@ NOTES: + * Different versions of Apache require different versions of + mod_authz_unixgroup: + + Apache 2.2.x requires mod_authz_unixgroup 1.0.x + Apache 2.4.x requires mod_authz_unixgroup 1.1.x + * There are two ways of installing mod_authz_unixgroup. (1) You can statically link it with Apache. This requires rebuilding @@ -89,18 +95,14 @@ CONFIGURATION: -------------- -Mod_authz_unixgroup is pretty simple to use. First, you need to enable it -for whatever directory you want to use it in, by inserting the following -directive either in a .htaccess file in the directory or a <Directory> block -in the httpd.conf file: - - AuthzUnixgroup on +Mod_authz_unixgroup is extremely simple to use. Presumably you already are +setting up some kind of authentication in a .htaccess file or in a +<Directory> block in the httpd.conf file. You'll just need to change the +"Require" directive there to something like: -Second, you will need a require directive like - - Require group admin + Require unix-group admin or - Require group students teachers staff + Require unix-group students teachers staff Obviously this only makes sense in a directory where you are doing authentication. This could be any kind of authentication, but it makes @@ -121,7 +123,7 @@ It is also possible to list groups by gid number instead of name, like - Require group 10 + Require unix-group 10 would be equivalent to "Require group admin" if the gid listed for the group admin in /etc/group is 10. @@ -130,12 +132,20 @@ mod_authz_unixgroup to check access based on file groups. For example if we do: - AuthzUnixgroup on - Require file-group + Require unix-file-group Then a user will be able to access a file if and only if that file is owned by a group of which the user is a member. +Changes from Previous Versions: +------------------------------- + +Previous versions of mod_authz_unixgroup needed a 'AuthzUnixgroup on' to +tell Apache that the "Require file-group" directive was supposed to be +handled by mod_authz_unixgroup. Now we have a distinct directive, +"Require unix-file-group" instead, so the 'AuthzUnixgroup' is no longer +needed and no longer exists. + Normally, when an access check fails, mod_authz_unixgroup will return a HTTP 401 error. This will typically cause the browser to pop up a message saying "Authentication Failed" and then the browser will ask for a new login @@ -143,15 +153,12 @@ "Require file-group" directive, you may not want to log the user off every time he hits a file he doesn't have access to. Maybe you'd rather just show a "Permission denied message" and not log him off. You could do that by -directing mod_authz_unixgroup to return a 403 error instead of a 401 error. -You can do this with the following directive: - - AuthnzUnixgroupError 403 - -By default, mod_authz_unixgroup is authoritative. If you want to use more -than one group checker, like mod_authz_unixgroup together with -mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non- -authoritative, so that if one fails, the other will be tried. You can -make mod_authz_unixgroup non-authoritative by saying: - - AuthzUnixgroupAuthoritative off +returning 403 error instead of a 401 error. Older versions of +mod_authz_unixgroup had a directive called 'AuthnzUnixgroupError' that did +this, but in Apache 2.4 that is replaced with a new standard Apache directive: + + AuthzUnixgroupAuthoritative off + +There also used to be an 'AuthzUnixgroupAuthoritative' directive which is +also gone, since the whole concept of authoritativeness no longer applies +to access control providers in Apache 2.4. diff -Nru libapache2-mod-authz-unixgroup-1.0.2/README libapache2-mod-authz-unixgroup-1.1.0/README --- libapache2-mod-authz-unixgroup-1.0.2/README 2009-05-21 20:51:01.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/README 2011-10-06 20:13:04.000000000 +0100 @@ -1,14 +1,15 @@ - Mod_Authz_Unixgroup version 1.0.2 + Mod_Authz_Unixgroup version 1.1.0 Author: Jan Wolter Website: http://www.unixpapa.com/mod_authz_unixgroup/ - Requires: Apache 2.1 or later on a Unix server + Requires: Apache 2.3 or later on a Unix server + (for Apache 2.2 use mod_authz_unixgroup 1.0.x) -Mod_Authz_Unixgroup is a unix group access control modules for Apache 2.1 and -later. If you are having users authenticate with real Unix login ID over the -net, using something like my mod_authnz_external/pwauth combination, and you -want to do access control based on unix group membership, then -mod_authz_unixgroup is exactly what you need. +Mod_Authz_Unixgroup is a unix group access control modules for Apache. If +you are having users authenticate with real Unix login ID over the net, using +something like my mod_authnz_external/pwauth combination, and you want to do +access control based on unix group membership, then mod_authz_unixgroup is +exactly what you need. Let's say that you were using this with mod_authnz_external and pwauth. Your .htaccess file for a protected directory would probably start with the @@ -22,10 +23,9 @@ That would cause mod_auth_basic and mod_authnz_external to do authentication based on the Unix passwd database. Mod_Authz_Unixgroup would come into play if you wanted to further restrict access to specific Unix groups. You might -append the following directives: +append the following directive: - AuthzUnixgroup on - Require group staff admin + Require unix-group staff admin This would allow only access to accounts in the 'staff' or 'admin' unix groups. You can alternately specify groups by their gid numbers instead of their names. @@ -33,7 +33,7 @@ Or you could use mod_authz_unixgroup together with the standard apache module mod_authz_owner to do something like: - Require file-group + Require unix-file-group This would allow access to the page, only the user was a member of the unix group that owns the file. @@ -52,10 +52,10 @@ and ignore the rest. Mod_authnz_external is available from: - http://www.unixpapa.com/mod_auth_external/ + http://code.google.com/p/mod-auth-external/ Pwauth is available from: - http://www.unixpapa.com/pwauth/ + http://code.google.com/p/pwauth/ It might also be possible to use this with mod_auth_shadow, expecially if a authn/authz version of that is ever released. diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/changelog libapache2-mod-authz-unixgroup-1.1.0/debian/changelog --- libapache2-mod-authz-unixgroup-1.0.2/debian/changelog 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/changelog 2013-07-11 11:56:00.000000000 +0100 @@ -1,3 +1,12 @@ +libapache2-mod-authz-unixgroup (1.1.0-0.1) unstable; urgency=low + + * Non-maintainer upload. + * New upstream release, suitable for Apache 2.4 (closes: #666849). + * Port packaging to Apache 2.4. + * Update debian/watch. + + -- Colin Watson <cjwat...@debian.org> Thu, 11 Jul 2013 11:52:29 +0100 + libapache2-mod-authz-unixgroup (1.0.2-1) unstable; urgency=low * Apache .load file now gets installed diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/control libapache2-mod-authz-unixgroup-1.1.0/debian/control --- libapache2-mod-authz-unixgroup-1.0.2/debian/control 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/control 2013-07-11 11:56:00.000000000 +0100 @@ -2,13 +2,13 @@ Section: web Priority: optional Maintainer: Hai Zaar <haiz...@haizaar.com> -Build-Depends: debhelper (>= 7), apache2-threaded-dev (>= 2.2.0) +Build-Depends: debhelper (>= 7), dh-apache2, apache2-dev (>= 2.2.0) Standards-Version: 3.8.2 Homepage: http://www.unixpapa.com/mod_authz_unixgroup Package: libapache2-mod-authz-unixgroup Architecture: any -Depends: ${shlibs:Depends}, apache2.2-common +Depends: ${shlibs:Depends}, ${misc:Depends} Description: access control based on on unix group membership for Apache Mod_Authz_Unixgroup is a unix group access control module for Apache 2.1 and later. If you are having users authenticate with real Unix login ID over the @@ -16,4 +16,4 @@ you want to do access control based on unix group membership, then mod_authz_unixgroup is exactly what you need. . - This Package includes the mod-authn-unixgroup Module for Apache Version 2.2 + This Package includes the mod-authn-unixgroup Module for Apache Version 2.4 diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2 libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2 --- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2 1970-01-01 01:00:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2 2013-07-11 11:56:00.000000000 +0100 @@ -0,0 +1,2 @@ +mod .libs/mod_authz_unixgroup.so +mod debian/authz_unixgroup.load diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs --- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs 1970-01-01 01:00:00.000000000 +0100 @@ -1,2 +0,0 @@ -usr/lib/apache2/modules -etc/apache2/mods-available diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install --- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install 1970-01-01 01:00:00.000000000 +0100 @@ -1,3 +0,0 @@ -.libs/mod_authz_unixgroup.so usr/lib/apache2/modules -debian/authz_unixgroup.load etc/apache2/mods-available - diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/rules libapache2-mod-authz-unixgroup-1.1.0/debian/rules --- libapache2-mod-authz-unixgroup-1.0.2/debian/rules 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/rules 2013-07-11 11:56:00.000000000 +0100 @@ -47,6 +47,7 @@ dh_installdocs dh_installexamples dh_install + dh_apache2 dh_link dh_strip dh_compress diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/watch libapache2-mod-authz-unixgroup-1.1.0/debian/watch --- libapache2-mod-authz-unixgroup-1.0.2/debian/watch 2013-07-11 11:56:00.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/debian/watch 2013-07-11 11:56:00.000000000 +0100 @@ -9,7 +9,7 @@ # Uncomment to examine a Webpage # <Webpage URL> <string match> #http://www.example.com/downloads.php #PACKAGE#-(.*)\.tar\.gz -http://code.google.com/p/mod-auth-external/downloads/list http://mod-auth-external.googlecode.com/files/mod_authz_unixgroup-(.*)\.tar\.gz +http://code.google.com/p/mod-auth-external/downloads/list?can=1 .*/mod_authz_unixgroup-(\d[\d.]*)\.tar\.gz # Uncomment to examine a Webserver directory #http://www.example.com/pub/#PACKAGE#-(.*)\.tar\.gz diff -Nru libapache2-mod-authz-unixgroup-1.0.2/mod_authz_unixgroup.c libapache2-mod-authz-unixgroup-1.1.0/mod_authz_unixgroup.c --- libapache2-mod-authz-unixgroup-1.0.2/mod_authz_unixgroup.c 2009-05-21 20:49:38.000000000 +0100 +++ libapache2-mod-authz-unixgroup-1.1.0/mod_authz_unixgroup.c 2011-10-06 20:13:04.000000000 +0100 @@ -32,65 +32,8 @@ */ module AP_MODULE_DECLARE_DATA authz_unixgroup_module; -/* - * Data type for per-directory configuration - */ - -typedef struct -{ - int enabled; - int authoritative; - char *errcode; - -} authz_unixgroup_dir_config_rec; - - -/* - * Creator for per-dir configurations. This is called via the hook in the - * module declaration to allocate and initialize the per-directory - * configuration data structures declared above. - */ - -static void *create_authz_unixgroup_dir_config(apr_pool_t *p, char *d) -{ - authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) - apr_palloc(p, sizeof(authz_unixgroup_dir_config_rec)); - - dir->enabled= 0; - dir->authoritative= 1; /* strong by default */ - dir->errcode= NULL; /* default to 401 */ - - return dir; -} - - -/* - * Config file commands that this module can handle - */ - -static const command_rec authz_unixgroup_cmds[] = -{ - AP_INIT_FLAG("AuthzUnixgroup", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, enabled), - OR_AUTHCFG, - "Set to 'on' to enable unix group checking"), - - AP_INIT_FLAG("AuthzUnixgroupAuthoritative", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, authoritative), - OR_AUTHCFG, - "Set to 'off' to allow access control to be passed along to lower " - "modules if this module can't confirm access rights" ), - - AP_INIT_TAKE1("AuthzUnixgroupError", - ap_set_string_slot, - (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, errcode), - OR_AUTHCFG, - "HTTP error code to return when user is not in group" ), - - { NULL } -}; +/* A handle for retrieving the requested file's group from mod_authnz_owner */ +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); /* Check if the named user is in the given list of groups. The list of @@ -125,7 +68,7 @@ /* Loop through list of groups passed in */ while (*grouplist != '\0') { - w= ap_getword_white(r->pool, &grouplist); + w= ap_getword_conf(r->pool, &grouplist); if (apr_isdigit(w[0])) { /* Numeric group id */ @@ -170,94 +113,84 @@ return 0; } - -static int authz_unixgroup_check_user_access(request_rec *r) +static authz_status unixgroup_check_authorization(request_rec *r, + const char *require_args, const void *parsed_require_args) { - authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) - ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); + /* If no authenticated user, pass */ + if ( !r->user ) return AUTHZ_DENIED_NO_USER; - int m= r->method_number; - int i,ret; - const char *t, *w; - const apr_array_header_t *reqs_arr= ap_requires(r); - const char *filegroup= NULL; - int required_group= 0; - require_line *reqs; + if (check_unix_group(r,require_args)) + return AUTHZ_GRANTED; + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed. " + "User not in Required unix groups (%s).", + r->user, r->uri, require_args); - /* If not enabled, pass */ - if ( !dir->enabled ) return DECLINED; + return AUTHZ_DENIED; +} - /* If there are no Require arguments, pass */ - if (!reqs_arr) return DECLINED; - reqs= (require_line *)reqs_arr->elts; +APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; - /* Loop through the "Require" argument list */ - for(i= 0; i < reqs_arr->nelts; i++) - { - if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue; +static authz_status unixfilegroup_check_authorization(request_rec *r, + const char *require_args, const void *parsed_require_args) +{ + const char *filegroup= NULL; - t= reqs[i].requirement; - w= ap_getword_white(r->pool, &t); + /* If no authenticated user, pass */ + if ( !r->user ) return AUTHZ_DENIED_NO_USER; - /* The 'file-group' directive causes mod_authz_owner to store the - * group name of the file we are trying to access in a note attached - * to the request. It's our job to decide if the user actually is - * in that group. If the note is missing, we just ignore it. - * Probably mod_authz_owner is not installed. - */ - if ( !strcasecmp(w, "file-group")) - { - filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE); - if (filegroup == NULL) continue; - } + /* Get group name for requested file from mod_authz_owner */ + filegroup= authz_owner_get_file_group(r); - if ( !strcmp(w,"group") || filegroup != NULL) - { - required_group= 1; + if (!filegroup) + /* No errog log entry, because mod_authz_owner already made one */ + return AUTHZ_DENIED; - if (filegroup) - { - /* Check if user is in the group that owns the file */ - if (check_unix_group(r,filegroup)) - return OK; - } - else if (t[0]) - { - /* Pass rest of require line to authenticator */ - if (check_unix_group(r,t)) - return OK; - } - } - } + if (check_unix_group(r,filegroup)) + return AUTHZ_GRANTED; - /* If we didn't see a 'require group' or aren't authoritive, decline */ - if (!required_group || !dir->authoritative) - return DECLINED; - - /* Authentication failed and we are authoritive, declare unauthorized */ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: user %s not allowed access (%s)", - r->uri, r->user, dir->errcode); - - ap_note_basic_auth_failure(r); + "Authorization of user %s to access %s failed. " + "User not in Required unix file group (%s).", + r->user, r->uri, filegroup); - return (dir->errcode && (ret= atoi(dir->errcode)) > 0) ? ret : - HTTP_UNAUTHORIZED; + return AUTHZ_DENIED; } +static const authz_provider authz_unixgroup_provider = +{ + &unixgroup_check_authorization, + NULL, +}; + +static const authz_provider authz_unixfilegroup_provider = +{ + &unixfilegroup_check_authorization, + NULL, +}; + static void authz_unixgroup_register_hooks(apr_pool_t *p) { - ap_hook_auth_checker(authz_unixgroup_check_user_access, NULL, NULL, - APR_HOOK_MIDDLE); + /* Get a handle on mod_authz_owner */ + authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); + + /* Register authz providers */ + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-group", + AUTHZ_PROVIDER_VERSION, + &authz_unixgroup_provider, AP_AUTH_INTERNAL_PER_CONF); + + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-file-group", + AUTHZ_PROVIDER_VERSION, + &authz_unixfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF); } - module AP_MODULE_DECLARE_DATA authz_unixgroup_module = { STANDARD20_MODULE_STUFF, - create_authz_unixgroup_dir_config, /* create per-dir config */ + NULL, /* create per-dir config */ NULL, /* merge per-dir config */ NULL, /* create per-server config */ NULL, /* merge per-server config */ - authz_unixgroup_cmds, /* command apr_table_t */ + NULL, /* command apr_table_t */ authz_unixgroup_register_hooks /* register hooks */ };