httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul J. Reder" <rede...@remulak.net>
Subject Re: AuthzMergeRules directive
Date Fri, 04 Apr 2008 23:43:50 GMT
Perhaps it would make more sense to provide this as an explicit value rather than
On vs. Off and set the default to the previous behavior. Perhaps something like:

AuthzMergeRules [AND | OR | OVERRIDE] with default being OVERRIDE (if I grok correctly)

Meaning that any directives specified at only one level would be merged to lower
levels, but the merge behavior of directives specified at multiple levels would
be controlled by this directive (i.e. ANDed, ORed, or OVERRIDEn with levels above
it). This could result in complex logic if subsequent levels of containers mixed
AND, OR, and OVERRIDE, but if it was designed to be explicit then the user would
have specific control over each authbit along the way.

Paul J. Reder

Brad Nicholes wrote:
>>>> On 4/4/2008 at 11:37 AM, in message <47F6675A.2050105@pearsoncmg.com>,
Chris
> Darroch <chrisd@pearsoncmg.com> wrote:
>> William A. Rowe, Jr. wrote:
>>
>>>>   I've been working with the 2.4 authn/z stuff a bit lately and
>>>> what I keep tripping over is that the default authorization merge rule
>>>> uses OR logic.  For example, if I enable mod_access_compat and
>>>> put in a traditional:
>>> I wonder if anyone would offer a fastfeather talk next week on wed or
>>> thurs - it's only 15 minutes - to introduce what's upcoming in 2.4?
>>    I won't be there, but here's a recap of the issue for discussion.
>> (Caveat: I may be missing something important!)
>>
>>    With 2.2 and prior versions, one can do something like:
>>
>> <Directory /htdocs>
>>     Require valid-user
>> </Directory>
>> <Directory /htdocs/admin>
>>     Require user admin
>> </Directory>
>>
>>    The logic which is then applied is:
>>
>> 1) For all requests under /htdocs, except those under /htdocs/admin,
>>    require any valid user.
>> 2) For all requests under /htdocs/admin, require the "admin" user.
>>
>>    With 2.4, unless I'm missing something, the same configuration
>> produces the logic:
>>
>> 1) For all requests under /htdocs, except those under /htdocs/admin,
>>    require any valid user.
>> 2) For all requests under /htdocs/admin, require any valid user OR
>>    require the user "admin".  Of course this grants any valid user access.
>>
>>    To get the old behaviour, you seem to need to add
>> "AuthzMergeRules Off" to the second <Directory>.  I just tested
>> versions of this configuration with 2.2 and 2.4 and I think I'm
>> describing the situation correctly.  Assuming I am, I fear this
>> will surprise a lot of people who think they've secured their
>> systems after upgrading.  It certainly caught me short.
>>
>>    Perhaps the default AuthzMergeRules setting should be Off rather
>> than On, at least when merging across configuration blocks?
>>
> 
> So here was the thinking behind it when AuthzMergeRules was introduced.  Maybe there
is still a bug here that needs to be addressed.
> 
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44C4E0FA.8060205@apache.org%3e
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44CA3C33.6720.00AC.0@novell.com%3e
> 
> Brad
> 
> 
> 
> 

-- 
Paul J. Reder
-----------------------------------------------------------
"The strength of the Constitution lies entirely in the determination of each
citizen to defend it.  Only if every single citizen feels duty bound to do
his share in this defense are the constitutional rights secure."
-- Albert Einstein


Mime
View raw message