httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott MacKay <>
Subject mod_auth.c alteration : optional strict valid-user
Date Fri, 17 May 2002 11:37:24 GMT
Please excuse the verbosity...

Request: mod_auth augmentation
Apache Version: 1.3.22 (Changes can be made to other
revs too)
Files affected: src/modules/standard/mod_auth.c
Structures Affected: auth_config_struct
Routines Affected: groups_for_user(),
check_user_access(), create_auth_dir_config()
Flags Added: AuthForceGroup (boolean)
Security:  Normal, if flag not specified.  Tightens
'valid-user' if specified.

I would like to propose an augmentation in the
mod_auth.c module.
This would help restrict the allowances of the
'valid-user' user when a group file is specified.  The
design would allow higher level non-authoratative 
modules to more easily use 'valid-user' when they
authenticate with a broad authentication service and
want a local group file to refine control. Of key note
would be for services which auto-generate access
control files.

The need for this augmentation stems from the Front
Page module (yes, I use it...sad) coupled with the
auth_ldap module to provide LDAP authentication of
users in  Front Page.   While the need originated from
this arrangement, I believe it can serve a useful
purpose whenever you authentication thru a high level
module and pass group authentication down to mod_auth.
 A key reason for this arrangement would be if you
used a company provided authentication scheme (like
LDAP), but cannot create/control groups.  An easy
method of control would to be use the LDAP for user
authentication and then pass group authentication down
to mod_auth, using group files which you can control.

The normal Front Page module builds .htaccess files
with mod_auth based authentication, generating one or
more sets of password and groups file for the web and
subwebs.  In the group file, it provides separate
groups for the different classification of users, such
as editors and administrators. 
When coupled with the auth_ldap module from, you can manipulate  the generated
.htaccess files to cause authentication for the users
to hit against an LDAP database.  Part of the
implementation is to make the LDAP 'non-authoratative'
so group access control is passed down to the
mod_auth, using the generated group files from Front
Page. The problem arises when you want to prevent a
web site from being browseable to general users. 
Front Page provides this protection by setting the
.htaccess file to allow allowing access to
'valid-user'.  In the normal scheme, this means  the
user must exist in the user file.   When you use a
higher level authentication such as LDAP, a large user
base can  authenticate, even though the intent is to
only allow users within the group list.
Yeah, it is more of a FrontPage issue (they should use
a 'require group' with their group lists).

The proposal would add a new flag to the mod_auth
module.  This would indicate that  if the user is
indicated as being 'valid-user' and a group file is
specified, then the user must be a valid user in any
of the groups specified in the group file. This change
only tightens security as it further restricts
'valid-user' and only does so when a new flag is set. 
Changes mod_auth.c would require the following
changes, I believe...
Sorry it is in generic-o diff format.  I can re-post
it in a better form if there is any merit to this

diff mod_auth.c mod_auth_proposed.c
>  * smackay/2002 - Added adjustment to keyword
>  *         new key AuthForceGroup : valid-user must
belong in a group, if a group 
>  *         file is specified.  This allows higher
modules who are not
>  *         authoritative and use 'valid-user' to
consult the AuthGroupFile.
>  *         The only exception is if there are no
>     int auth_forcegroup;   /* requires user to be in
a group  for 'valid-user' */
>     sec->auth_forcegroup = 0;   /* smackay : normal
valid-user by default */
> /* smackay : Added AuthForceGroup : requires user to
be in a group */
>     {"AuthForceGroup", ap_set_flag_slot,
>      (void *) XtOffsetOf(auth_config_rec,
>      "Set to 'on' to force a 'valid-user' user to
exist in the "
>      "group file, if specified.  If no group file is
specified, this has no effect."},
>     char in_group;   /* Indicator if we are defined
in at least 1 group */
>     in_group=0; /* smackay : Set to false by default
>               in_group=1;
>     /* If we are not in at least 1 group, return a
NULL. */
>     if (! in_group)
>         return NULL;
<           return OK;
>           if (sec->auth_forcegroup &&
sec->auth_grpfile) { 
>               if (grpstatus) 
>                   return OK;
>           } else {
>               return OK;
>           }

Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience

View raw message