that functionality was not ported into 2.x yet.
For summary look at the attachment, please ;-)
I've created a module "mod_authz_owner", which basically ports the
functionality, but with some enhancements. Both requirements should work on
every system where APR_HAS_USER. (or at least throw an appropriate error
message - think of the differences between Win9x, WinNT, 2k etc.)
The goal of the module is to do all the neccessary file system work to
figure out username and groupname. "Require file-owner" is completely
resolved within the module. "file-group" is only determined there and the
groupname will be extracted from the stat call and stored within the
r->notes. Done that, the module will decline, so that the group database
modules (mod_authz_groupfile, mod_authz_dbm) can verify the groupname with
their lists.
Thus every group module that supports the file-group requirement must be
hooked after mod_authz_owner. They have to recognize "file-group" and read
the groupname from r->notes. (If there's no name stored, the modules ignore
the file-group requirement). The backstopper module will do its work in
worst case.
However, there are some problems, that need help and further review:
- is that note principle ok (in concept?) or is there a better way to
communicate?
- I defined slightly different semantics of AuthzOwnerAuthoritative.
It acts as "file-owner" and "file-group" were defined in different
modules. So if set to On, only one of them will be recognized and if it
fails, a 401 response will happen. If Off, both may be recognized and the
best match will be done.
I'm not sure, whether this is good or bad, opinions are desired :)
- the module doesn't work as one could expect if the file doesn't exist in
the first request round (consider MutliViews) (the 1.3 version has the
same problem). I played around with some subrequest techniques, but got
no helpful result. Is there any magic to recognize the actual resulting
filename? Or can we safely send OK if the file doesn't exist (instead of
401)?
- generally - are there any style issues, I have violated? ;-)
TIA, nd
--
Da f�llt mir ein, wieso gibt es eigentlich in Unicode kein
"i" mit einem Herzchen als T�pfelchen? Das w�r sooo s��ss!
-- Bj�rn H�hrmann in darw
diff -Nur modules/aaa.orig/config.m4 modules/aaa/config.m4
--- modules/aaa.orig/config.m4 Fri Nov 29 00:02:44 2002
+++ modules/aaa/config.m4 Tue Jan 07 06:35:50 2003
@@ -26,6 +26,7 @@
APACHE_MODULE(authz_groupfile, 'require group' authorization control, , , yes)
APACHE_MODULE(authz_user, 'require user' authorization control, , , yes)
APACHE_MODULE(authz_dbm, DBM-based authorization control, , , most)
+APACHE_MODULE(authz_owner, 'require file-owner' authorization control, , , most)
dnl - and just in case all of the above punt; a default handler to
dnl keep the bad guys out.
diff -Nur modules/aaa.orig/mod_auth.h modules/aaa/mod_auth.h
--- modules/aaa.orig/mod_auth.h Fri Sep 20 01:57:49 2002
+++ modules/aaa/mod_auth.h Tue Jan 07 04:28:02 2003
@@ -67,6 +67,8 @@
#define AUTHN_PROVIDER_GROUP "authn"
#define AUTHN_DEFAULT_PROVIDER "file"
+
+#define AUTHZ_GROUP_NOTE "authz_group_note"
typedef enum {
AUTH_DENIED,
diff -Nur modules/aaa.orig/mod_authz_dbm.c modules/aaa/mod_authz_dbm.c
--- modules/aaa.orig/mod_authz_dbm.c Mon Jan 06 09:07:51 2003
+++ modules/aaa/mod_authz_dbm.c Tue Jan 07 13:33:10 2003
@@ -83,6 +83,8 @@
#include "http_protocol.h"
#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/
+#include "mod_auth.h"
+
typedef struct {
char *grpfile;
char *dbmtype;
@@ -195,9 +197,11 @@
require_line *reqs = reqs_arr ? (require_line *) reqs_arr->elts : NULL;
register int x;
const char *t;
- const char *orig_groups = NULL;
char *w;
int required_group = 0;
+ const char *filegroup = NULL;
+ const char *orig_groups = NULL;
+ char *reason = NULL;
if (!conf->grpfile) {
return DECLINED;
@@ -216,7 +220,19 @@
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
- if (!strcmp(w, "group")) {
+ if (!strcmp(w, "file-group")) {
+ filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
+
+ if (!filegroup) {
+ /* mod_authz_owner is not present or not
+ * authoritative. We are just a helper module for testing
+ * group membership, so we don't care and decline.
+ */
+ continue;
+ }
+ }
+
+ if (!strcmp(w, "group") || filegroup) {
const char *realm = ap_auth_name(r);
const char *groups;
char *v;
@@ -241,46 +257,61 @@
}
if (groups == NULL) {
- if (!conf->authoritative) {
- return DECLINED;
- }
-
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "user %s not in DBM group file %s: %s",
- user, conf->grpfile, r->filename);
-
- ap_note_auth_failure(r);
- return HTTP_UNAUTHORIZED;
+ /* no groups available, so exit immediately */
+ reason = apr_psprintf(r->pool,
+ "user doesn't appear in DBM group "
+ "file (%s).", conf->grpfile);
+ break;
}
orig_groups = groups;
}
- while (t[0]) {
- w = ap_getword_white(r->pool, &t);
+ if (filegroup) {
groups = orig_groups;
while (groups[0]) {
v = ap_getword(r->pool, &groups, ',');
- if (!strcmp(v, w)) {
+ if (!strcmp(v, filegroup)) {
return OK;
}
}
+
+ if (conf->authoritative) {
+ reason = apr_psprintf(r->pool,
+ "file group '%s' does not match.",
+ filegroup);
+ break;
+ }
+
+ /* now forget the filegroup, thus alternatively require'd
+ groups get a real chance */
+ filegroup = NULL;
+ }
+ else {
+ while (t[0]) {
+ w = ap_getword_white(r->pool, &t);
+ groups = orig_groups;
+ while (groups[0]) {
+ v = ap_getword(r->pool, &groups, ',');
+ if (!strcmp(v, w)) {
+ return OK;
+ }
+ }
+ }
}
}
}
- /* no group requirement seen */
- if (!required_group) {
- return DECLINED;
- }
-
- if (!conf->authoritative) {
+ /* No applicable "require group" for this method seen */
+ if (!required_group || !conf->authoritative) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "user %s not in right group: %s",
- user, r->filename);
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri,
+ reason ? reason : "user is not part of the "
+ "'require'ed group(s).");
ap_note_auth_failure(r);
return HTTP_UNAUTHORIZED;
@@ -288,7 +319,9 @@
static void register_hooks(apr_pool_t *p)
{
- ap_hook_auth_checker(dbm_check_auth, NULL, NULL, APR_HOOK_MIDDLE);
+ static const char * const aszPre[]={ "mod_authz_owner.c", NULL };
+
+ ap_hook_auth_checker(dbm_check_auth, aszPre, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA authz_dbm_module =
diff -Nur modules/aaa.orig/mod_authz_groupfile.c modules/aaa/mod_authz_groupfile.c
--- modules/aaa.orig/mod_authz_groupfile.c Mon Jan 06 07:52:48 2003
+++ modules/aaa/mod_authz_groupfile.c Tue Jan 07 13:30:49 2003
@@ -95,6 +95,8 @@
#include "http_protocol.h"
#include "http_request.h"
+#include "mod_auth.h"
+
typedef struct {
char *groupfile;
int authoritative;
@@ -186,12 +188,20 @@
char *user = r->user;
int m = r->method_number;
int required_group = 0;
- register int x,has_entries;
+ register int x;
const char *t, *w;
- apr_table_t *grpstatus;
+ apr_table_t *grpstatus = NULL;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs;
- apr_status_t status;
+ const char *filegroup = NULL;
+ char *reason = NULL;
+
+ /* If there is no group file - then we are not
+ * configured. So decline.
+ */
+ if (!(conf->groupfile)) {
+ return DECLINED;
+ }
if (!reqs_arr) {
return DECLINED; /* XXX change from legacy */
@@ -199,21 +209,6 @@
reqs = (require_line *)reqs_arr->elts;
- /* If there is no group file - then we are not
- * configured. So decline.
- */
- if (!(conf->groupfile))
- return DECLINED;
-
- if ((status = groups_for_user(r->pool, user, conf->groupfile,
- &grpstatus)) != APR_SUCCESS) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
- "Could not open group file: %s", conf->groupfile);
- return HTTP_INTERNAL_SERVER_ERROR;
- };
-
- has_entries = apr_table_elts(grpstatus)->nelts;
-
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
@@ -223,43 +218,92 @@
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
- if (!strcmp(w, "group")) {
- required_group = 1;
+ /* needs mod_authz_owner to be present */
+ if (!strcmp(w, "file-group")) {
+ filegroup = apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
+
+ if (!filegroup) {
+ /* mod_authz_owner is not present or not
+ * authoritative. We are just a helper module for testing
+ * group membership, so we don't care and decline.
+ */
+ continue;
+ }
+ }
- if (!has_entries) {
- /* we will never match, so exit immediately */
- break;
+ if (!strcmp(w, "group") || filegroup) {
+ required_group = 1; /* remember the requirement */
+
+ /* create group table only if actually needed. */
+ if (!grpstatus) {
+ apr_status_t status;
+
+ status = groups_for_user(r->pool, user, conf->groupfile,
+ &grpstatus);
+
+ if (status != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+ "Could not open group file: %s",
+ conf->groupfile);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ if (apr_table_elts(grpstatus)->nelts == 0) {
+ /* no groups available, so exit immediately */
+ reason = apr_psprintf(r->pool,
+ "user doesn't appear in group file "
+ "(%s).", conf->groupfile);
+ break;
+ }
}
- while (t[0]) {
- w = ap_getword_conf(r->pool, &t);
- if (apr_table_get(grpstatus, w)) {
+ if (filegroup) {
+ if (apr_table_get(grpstatus, filegroup)) {
return OK;
}
+
+ if (conf->authoritative) {
+ reason = apr_psprintf(r->pool,
+ "file group '%s' does not match.",
+ filegroup);
+ break;
+ }
+
+ /* now forget the filegroup, thus alternatively require'd
+ groups get a real chance */
+ filegroup = NULL;
+ }
+ else {
+ while (t[0]) {
+ w = ap_getword_conf(r->pool, &t);
+ if (apr_table_get(grpstatus, w)) {
+ return OK;
+ }
+ }
}
}
}
- /* No applicable "requires group" for this method seen */
- if (!required_group) {
- return DECLINED;
- }
-
- if (!(conf->authoritative)) {
+ /* No applicable "require group" for this method seen */
+ if (!required_group || !conf->authoritative) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "access to %s failed, reason: user %s not part of the "
- "'require'ed group(s).", r->uri, user);
-
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri,
+ reason ? reason : "user is not part of the "
+ "'require'ed group(s).");
+
ap_note_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
static void register_hooks(apr_pool_t *p)
{
- ap_hook_auth_checker(check_user_access,NULL,NULL,APR_HOOK_MIDDLE);
+ static const char * const aszPre[]={ "mod_authz_owner.c", NULL };
+
+ ap_hook_auth_checker(check_user_access, aszPre, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA authz_groupfile_module =
diff -Nur modules/aaa.orig/mod_authz_owner.c modules/aaa/mod_authz_owner.c
--- modules/aaa.orig/mod_authz_owner.c Thu Jan 01 01:00:00 1970
+++ modules/aaa/mod_authz_owner.c Tue Jan 07 14:32:28 2003
@@ -0,0 +1,295 @@
+/* ====================================================================
+ * The Apache Software License, Version 1.1
+ *
+ * Copyright (c) 2000-2002 The Apache Software Foundation. All rights
+ * reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. The end-user documentation included with the redistribution,
+ * if any, must include the following acknowledgment:
+ * "This product includes software developed by the
+ * Apache Software Foundation (http://www.apache.org/)."
+ * Alternately, this acknowledgment may appear in the software itself,
+ * if and wherever such third-party acknowledgments normally appear.
+ *
+ * 4. The names "Apache" and "Apache Software Foundation" must
+ * not be used to endorse or promote products derived from this
+ * software without prior written permission. For written
+ * permission, please contact [EMAIL PROTECTED]
+ *
+ * 5. Products derived from this software may not be called "Apache",
+ * nor may "Apache" appear in their name, without prior written
+ * permission of the Apache Software Foundation.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ * Portions of this software are based upon public domain software
+ * originally written at the National Center for Supercomputing Applications,
+ * University of Illinois, Urbana-Champaign.
+ */
+
+/*
+ * http_auth: authentication
+ *
+ * Rob McCool
+ *
+ * Adapted to Apache by rst.
+ *
+ * dirkx - Added Authoritative control to allow passing on to lower
+ * modules if and only if the userid is not known to this
+ * module. A known user with a faulty or absent password still
+ * causes an AuthRequired. The default is 'Authoritative', i.e.
+ * no control is passed along.
+ */
+
+#include "apr_strings.h"
+#include "apr_file_info.h"
+#include "apr_user.h"
+
+#include "ap_config.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
+#include "http_protocol.h"
+#include "http_request.h"
+
+#include "mod_auth.h"
+
+typedef struct {
+ int authoritative;
+} authz_owner_config_rec;
+
+static void *create_authz_owner_dir_config(apr_pool_t *p, char *d)
+{
+ authz_owner_config_rec *conf = apr_palloc(p, sizeof(*conf));
+
+ conf->authoritative = 1; /* keep the fortress secure by default */
+ return conf;
+}
+
+static const command_rec authz_owner_cmds[] =
+{
+ AP_INIT_FLAG("AuthzOwnerAuthoritative", ap_set_flag_slot,
+ (void *)APR_OFFSETOF(authz_owner_config_rec, authoritative),
+ OR_AUTHCFG,
+ "Set to 'Off' to allow access control to be passed along to "
+ "lower modules. (default is On.)"),
+ {NULL}
+};
+
+module AP_MODULE_DECLARE_DATA authz_owner_module;
+
+static int check_file_owner(request_rec *r)
+{
+ authz_owner_config_rec *conf = ap_get_module_config(r->per_dir_config,
+ &authz_owner_module);
+ int m = r->method_number;
+ register int x;
+ const char *t, *w;
+ const apr_array_header_t *reqs_arr = ap_requires(r);
+ require_line *reqs;
+ int required_owner = 0;
+ apr_status_t status = 0;
+ char *reason = NULL;
+
+ if (!reqs_arr) {
+ return DECLINED;
+ }
+
+ reqs = (require_line *)reqs_arr->elts;
+ for (x = 0; x < reqs_arr->nelts; x++) {
+
+ /* if authoritative = On then break if a require already failed. */
+ if (reason && conf->authoritative) {
+ break;
+ }
+
+ if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
+ continue;
+ }
+
+ t = reqs[x].requirement;
+ w = ap_getword_white(r->pool, &t);
+
+ if (!strcmp(w, "file-owner")) {
+#if !APR_HAS_USER
+ if ((required_owner & ~1) && conf->authoritative) {
+ break;
+ }
+
+ required_owner |= 1; /* remember the requirement */
+ reason = "'Require file-owner' is not supported on this platform.";
+ continue;
+#else /* APR_HAS_USER */
+ char *owner = NULL;
+ apr_finfo_t finfo;
+
+ if ((required_owner & ~1) && conf->authoritative) {
+ break;
+ }
+
+ required_owner |= 1; /* remember the requirement */
+
+ if (!r->filename) {
+ reason = "no filename available";
+ continue;
+ }
+
+ status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
+ if (status != APR_SUCCESS) {
+ reason = apr_pstrcat(r->pool, "could not stat file ",
+ r->filename, NULL);
+ continue;
+ }
+
+ if (!(finfo.valid & APR_FINFO_USER)) {
+ reason = "no file owner information available";
+ continue;
+ }
+
+ status = apr_uid_name_get(&owner, finfo.user, r->pool);
+ if (status != APR_SUCCESS || !owner) {
+ reason = "could not get name of file owner";
+ continue;
+ }
+
+ if (strcmp(owner, r->user)) {
+ reason = apr_psprintf(r->pool, "file owner %s does not match.",
+ owner);
+ continue;
+ }
+
+ /* this user is authorized */
+ return OK;
+#endif /* APR_HAS_USER */
+ }
+
+ /* file-group only figures out the file's group and lets
+ * other modules do the actual authorization (against a group file/db).
+ * Thus, these modules have to hook themselves after
+ * mod_authz_owner and of course recognize 'file-group', too.
+ */
+ if (!strcmp(w, "file-group")) {
+#if !APR_HAS_USER
+ if ((required_owner & ~6) && conf->authoritative) {
+ break;
+ }
+
+ required_owner |= 2; /* remember the requirement */
+ reason = "'Require file-group' is not supported on this platform.";
+ continue;
+#else /* APR_HAS_USER */
+ char *group = NULL;
+ apr_finfo_t finfo;
+
+ if ((required_owner & ~6) && conf->authoritative) {
+ break;
+ }
+
+ required_owner |= 2; /* remember the requirement */
+
+ if (!r->filename) {
+ reason = "no filename available";
+ continue;
+ }
+
+ status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
+ if (status != APR_SUCCESS) {
+ reason = apr_pstrcat(r->pool, "could not stat file ",
+ r->filename, NULL);
+ continue;
+ }
+
+ if (!(finfo.valid & APR_FINFO_GROUP)) {
+ reason = "no file group information available";
+ continue;
+ }
+
+ status = apr_gid_name_get(&group, finfo.group, r->pool);
+ if (status != APR_SUCCESS || !group) {
+ reason = "could not get name of file group";
+ continue;
+ }
+
+ /* store group name in a note and let others decide... */
+ apr_table_setn(r->notes, AUTHZ_GROUP_NOTE, group);
+ required_owner |= 4;
+ continue;
+#endif /* APR_HAS_USER */
+ }
+ }
+
+ if (!required_owner || !conf->authoritative) {
+ return DECLINED;
+ }
+
+ /* allow file-group passed to group db modules either if this is the
+ * only applicable requirement here or if a file-owner failed but we're
+ * not authoritative.
+ * This allows configurations like:
+ *
+ * AuthzOwnerAuthoritative Off
+ * require file-owner
+ * require file-group
+ *
+ * with the semantical meaning of "either owner or group must match"
+ * (inclusive or)
+ *
+ * [ 6 == 2 | 4; 7 == 1 | 2 | 4 ] should I use #defines instead?
+ */
+ if (required_owner == 6 || (required_owner == 7 && !conf->authoritative)) {
+ return DECLINED;
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+
+ ap_note_auth_failure(r);
+ return HTTP_UNAUTHORIZED;
+}
+
+static void register_hooks(apr_pool_t *p)
+{
+ ap_hook_auth_checker(check_file_owner, NULL, NULL, APR_HOOK_MIDDLE);
+}
+
+module AP_MODULE_DECLARE_DATA authz_owner_module =
+{
+ STANDARD20_MODULE_STUFF,
+ create_authz_owner_dir_config, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ NULL, /* server config */
+ NULL, /* merge server config */
+ authz_owner_cmds, /* command apr_table_t */
+ register_hooks /* register hooks */
+};
