httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Darroch <chr...@pearsoncmg.com>
Subject Re: 2.4 (Was: Re: Configuration Issues to Address [was Re: Dynamic configuration for the hackathon?])
Date Fri, 04 Apr 2008 17:37:30 GMT
William A. Rowe, Jr. wrote:

>>   I've been working with the 2.4 authn/z stuff a bit lately and
>> what I keep tripping over is that the default authorization merge rule
>> uses OR logic.  For example, if I enable mod_access_compat and
>> put in a traditional:
> 
> I wonder if anyone would offer a fastfeather talk next week on wed or
> thurs - it's only 15 minutes - to introduce what's upcoming in 2.4?

   I won't be there, but here's a recap of the issue for discussion.
(Caveat: I may be missing something important!)

   With 2.2 and prior versions, one can do something like:

<Directory /htdocs>
    Require valid-user
</Directory>
<Directory /htdocs/admin>
    Require user admin
</Directory>

   The logic which is then applied is:

1) For all requests under /htdocs, except those under /htdocs/admin,
   require any valid user.
2) For all requests under /htdocs/admin, require the "admin" user.

   With 2.4, unless I'm missing something, the same configuration
produces the logic:

1) For all requests under /htdocs, except those under /htdocs/admin,
   require any valid user.
2) For all requests under /htdocs/admin, require any valid user OR
   require the user "admin".  Of course this grants any valid user access.

   To get the old behaviour, you seem to need to add
"AuthzMergeRules Off" to the second <Directory>.  I just tested
versions of this configuration with 2.2 and 2.4 and I think I'm
describing the situation correctly.  Assuming I am, I fear this
will surprise a lot of people who think they've secured their
systems after upgrading.  It certainly caught me short.

   Perhaps the default AuthzMergeRules setting should be Off rather
than On, at least when merging across configuration blocks?

Chris.

-- 
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B


Mime
View raw message