httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject AuthzMergeRules directive (was:Re: 2.4)
Date Fri, 04 Apr 2008 21:22:38 GMT
>>> On 4/4/2008 at 11:37 AM, in message <47F6675A.2050105@pearsoncmg.com>, Chris
Darroch <chrisd@pearsoncmg.com> wrote:
> William A. Rowe, Jr. wrote:
> 
>>>   I've been working with the 2.4 authn/z stuff a bit lately and
>>> what I keep tripping over is that the default authorization merge rule
>>> uses OR logic.  For example, if I enable mod_access_compat and
>>> put in a traditional:
>> 
>> I wonder if anyone would offer a fastfeather talk next week on wed or
>> thurs - it's only 15 minutes - to introduce what's upcoming in 2.4?
> 
>    I won't be there, but here's a recap of the issue for discussion.
> (Caveat: I may be missing something important!)
> 
>    With 2.2 and prior versions, one can do something like:
> 
> <Directory /htdocs>
>     Require valid-user
> </Directory>
> <Directory /htdocs/admin>
>     Require user admin
> </Directory>
> 
>    The logic which is then applied is:
> 
> 1) For all requests under /htdocs, except those under /htdocs/admin,
>    require any valid user.
> 2) For all requests under /htdocs/admin, require the "admin" user.
> 
>    With 2.4, unless I'm missing something, the same configuration
> produces the logic:
> 
> 1) For all requests under /htdocs, except those under /htdocs/admin,
>    require any valid user.
> 2) For all requests under /htdocs/admin, require any valid user OR
>    require the user "admin".  Of course this grants any valid user access.
> 
>    To get the old behaviour, you seem to need to add
> "AuthzMergeRules Off" to the second <Directory>.  I just tested
> versions of this configuration with 2.2 and 2.4 and I think I'm
> describing the situation correctly.  Assuming I am, I fear this
> will surprise a lot of people who think they've secured their
> systems after upgrading.  It certainly caught me short.
> 
>    Perhaps the default AuthzMergeRules setting should be Off rather
> than On, at least when merging across configuration blocks?
> 

So here was the thinking behind it when AuthzMergeRules was introduced.  Maybe there is still
a bug here that needs to be addressed.

http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44C4E0FA.8060205@apache.org%3e
http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44CA3C33.6720.00AC.0@novell.com%3e

Brad




Mime
View raw message