httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: documentation/658:
Date Tue, 03 Jun 1997 08:35:18 GMT

> Synopsis: One doc error and one clarification for mod_auth_anon
> 
> State-Changed-From->To: open->feedback
> State-Changed-By: coar
> State-Changed-When: Mon Jun  2 12:22:10 PDT 1997
> State-Changed-Why:
> The first item (Anonymous_NoUserID) will be corrected
> shortly.  As for the second.. AuthUserFile isn't a
> directive supplied by mod_auth_anon.  Do you mean that
> mod_auth_anon's documentation needs to mention that an
> AuthUserFile must exist for the location in order for
> mod_auth_anon to work?

Nay, I think the trouble is this; as we now have the option
to make authorization modules pass the buck(et) around, by
making them non-authoritative, it is easily possible to
configure a server to pass down all the way to 

http_request.c:         decl_die (access_status, "check user.  No user file?", r);

Judging from the number of reports I get on mod_anon and mod_msql, I 
guess that about equal number of people uses these modules with fall-trhough
and without. The latter onces usually get confused by the error message.

I guess one could do a few things about it.

	1. Mention it in the doc(s) that at least one
	   correctly configured auth module needs to be authoritative
	2. Make teh fall through error msg in http_request a bit more
	   elaborate, see below.
	3. Consider how we could change some of this into a 500/server error
	4. Modify the config-checks to check that they have an auth configuration
	   which always leads to at least one configured authoritative module.
	   (But that implies adding a function to the API).

Just my early morning ramble.

Dw.


$diff -c3 http_request.c http_request.c.org
*** http_request.c      Tue Jun  3 10:30:14 1997
--- http_request.c.org  Tue Jun  3 10:25:22 1997
***************
*** 871,886 ****
      switch (satisfies(r)) {
      case SATISFY_ALL:
        if ((access_status = check_access (r)) != 0) {
!           decl_die (access_status, "Check configured Access Permissions. Credential specification
might be missing.", r);
            return;
        }
        if (some_auth_required (r)) {
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "Check Configured User Access.  No authoritative
auth module or file? Credential specification for the UserID might be missing.", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "Check Configured Group Access.  No authoritative
auth module or file? Credential specification for the Group(s) might be missing.", r);
                return;
            }
        }
--- 871,886 ----
      switch (satisfies(r)) {
      case SATISFY_ALL:
        if ((access_status = check_access (r)) != 0) {
!           decl_die (access_status, "check access", r);
            return;
        }
        if (some_auth_required (r)) {
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "check user.  No user file?", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "check access.  No groups file?", r);
                return;
            }
        }
***************
*** 888,902 ****
      case SATISFY_ANY:
        if ((access_status = check_access (r)) != 0) {
            if (!some_auth_required (r)) {
!               decl_die (access_status, "Check Configured Access Permissions, Credential
specification might be missing.", r);
                return;
            }
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "Check Configured User Access.  No authoritative
auth module or file? Credential specification for the UserID might be missing.", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "Check Configured Group Access.  No authoritative
auth module or file? Credential specification for the Group(s) might be missing.", r);
                return;
            }
        }
--- 888,902 ----
      case SATISFY_ANY:
        if ((access_status = check_access (r)) != 0) {
            if (!some_auth_required (r)) {
!               decl_die (access_status, "check access", r);
                return;
            }
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "check user.  No user file?", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "check access.  No groups file?", r);
                return;
            }
        }
dirkx.elect6:src $diff -c3 http_request.c http_request.c.org
*** http_request.c      Tue Jun  3 10:30:14 1997
--- http_request.c.org  Tue Jun  3 10:25:22 1997
***************
*** 871,886 ****
      switch (satisfies(r)) {
      case SATISFY_ALL:
        if ((access_status = check_access (r)) != 0) {
!           decl_die (access_status, "Check configured Access Permissions. Credential specification
might be missing.", r);
            return;
        }
        if (some_auth_required (r)) {
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "Check Configured User Access.  No authoritative
auth module or file? Credential specification for the UserID might be missing.", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "Check Configured Group Access.  No authoritative
auth module or file? Credential specification for the Group(s) might be missing.", r);
                return;
            }
        }
--- 871,886 ----
      switch (satisfies(r)) {
      case SATISFY_ALL:
        if ((access_status = check_access (r)) != 0) {
!           decl_die (access_status, "check access", r);
            return;
        }
        if (some_auth_required (r)) {
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "check user.  No user file?", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "check access.  No groups file?", r);
                return;
            }
        }
***************
*** 888,902 ****
      case SATISFY_ANY:
        if ((access_status = check_access (r)) != 0) {
            if (!some_auth_required (r)) {
!               decl_die (access_status, "Check Configured Access Permissions, Credential
specification might be missing.", r);
                return;
            }
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "Check Configured User Access.  No authoritative
auth module or file? Credential specification for the UserID might be missing.", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "Check Configured Group Access.  No authoritative
auth module or file? Credential specification for the Group(s) might be missing.", r);
                return;
            }
        }
--- 888,902 ----
      case SATISFY_ANY:
        if ((access_status = check_access (r)) != 0) {
            if (!some_auth_required (r)) {
!               decl_die (access_status, "check access", r);
                return;
            }
            if ((access_status = check_user_id (r)) != 0) {
!               decl_die (access_status, "check user.  No user file?", r);
                return;
            }
            if ((access_status = check_auth (r)) != 0) {
!               decl_die (access_status, "check access.  No groups file?", r);
                return;
            }
        }

Mime
View raw message