Return-Path: 
 <dev-return-60846-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 3651 invoked from network); 4 Apr 2008 21:23:29 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 4 Apr 2008 21:23:29 -0000
Received: (qmail 96167 invoked by uid 500); 4 Apr 2008 21:23:26 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 96102 invoked by uid 500); 4 Apr 2008 21:23:26 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 96091 invoked by uid 99); 4 Apr 2008 21:23:26 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Apr 2008 14:23:26 -0700
X-ASF-Spam-Status: No, hits=-4.0 required=10.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [137.65.248.127] (HELO lucius.provo.novell.com)
 (137.65.248.127)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Apr 2008 21:22:45 +0000
Received: from INET-PRV1-MTA by lucius.provo.novell.com
	with Novell_GroupWise; Fri, 04 Apr 2008 15:22:44 -0600
Message-Id: <47F647BE.6720.00AC.0@novell.com>
X-Mailer: Novell GroupWise Internet Agent 7.0.3 
Date: Fri, 04 Apr 2008 15:22:38 -0600
From: "Brad Nicholes" <BNICHOLES@novell.com>
To: <dev@httpd.apache.org>
Subject: AuthzMergeRules directive (was:Re: 2.4)
References: <C417A5C6.AD05D%Brian.Akins@turner.com>
 <47F3FFA6.8090904@rowe-clan.net> <47F40129.5090205@rowe-clan.net>
 <47F40394.90407@rowe-clan.net>
 <43e40e000804030113s18451aaes1e0c4b6b94d6a9d3@mail.gmail.com>
 <BAD7EF2A-B85E-4D56-96AA-36A97E65E218@jaguNET.com>
 <99EA83DCDE961346AFA9B5EC33FEC08B857A91@VF-MBX11.internal.vodafone.com>
 <47F4EE19.3080903@rowe-clan.net> <47F513B8.5060202@pearsoncmg.com>
 <47F5D6B7.9060907@rowe-clan.net> <47F6675A.2050105@pearsoncmg.com>
In-Reply-To: <47F6675A.2050105@pearsoncmg.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Virus-Checked: Checked by ClamAV on apache.org

>>> On 4/4/2008 at 11:37 AM, in message <47F6675A.2050105@pearsoncmg.com>, =
Chris
Darroch <chrisd@pearsoncmg.com> wrote:
> William A. Rowe, Jr. wrote:
>=20
>>>   I've been working with the 2.4 authn/z stuff a bit lately and
>>> what I keep tripping over is that the default authorization merge rule
>>> uses OR logic.  For example, if I enable mod_access_compat and
>>> put in a traditional:
>>=20
>> I wonder if anyone would offer a fastfeather talk next week on wed or
>> thurs - it's only 15 minutes - to introduce what's upcoming in 2.4?
>=20
>    I won't be there, but here's a recap of the issue for discussion.
> (Caveat: I may be missing something important!)
>=20
>    With 2.2 and prior versions, one can do something like:
>=20
> <Directory /htdocs>
>     Require valid-user
> </Directory>
> <Directory /htdocs/admin>
>     Require user admin
> </Directory>
>=20
>    The logic which is then applied is:
>=20
> 1) For all requests under /htdocs, except those under /htdocs/admin,
>    require any valid user.
> 2) For all requests under /htdocs/admin, require the "admin" user.
>=20
>    With 2.4, unless I'm missing something, the same configuration
> produces the logic:
>=20
> 1) For all requests under /htdocs, except those under /htdocs/admin,
>    require any valid user.
> 2) For all requests under /htdocs/admin, require any valid user OR
>    require the user "admin".  Of course this grants any valid user =
access.
>=20
>    To get the old behaviour, you seem to need to add
> "AuthzMergeRules Off" to the second <Directory>.  I just tested
> versions of this configuration with 2.2 and 2.4 and I think I'm
> describing the situation correctly.  Assuming I am, I fear this
> will surprise a lot of people who think they've secured their
> systems after upgrading.  It certainly caught me short.
>=20
>    Perhaps the default AuthzMergeRules setting should be Off rather
> than On, at least when merging across configuration blocks?
>=20

So here was the thinking behind it when AuthzMergeRules was introduced.  =
Maybe there is still a bug here that needs to be addressed.

http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44C4E0FA.=
8060205@apache.org%3e
http://mail-archives.apache.org/mod_mbox/httpd-dev/200607.mbox/%3c44CA3C33.=
6720.00AC.0@novell.com%3e

Brad