httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Darroch <>
Subject Re: AuthzMergeRules directive
Date Mon, 23 Jun 2008 18:31:01 GMT
Brad Nicholes wrote:

> I finally got around to making the switch so that the default merge
> rule is AND rather than OR.  However after making the switch, it
> occurred to me that since the default rule is AND now, the
> AuthzMergeRules default should remain ON.  Otherwise the rule
> inheritance won't happen by default which would leave authentication
> holes in sub-directories.  I think with the default being changed
> to AND, authz should be behaving as discussed on this thread.

   Thanks, much appreciated.  I'll try to set up some tests and
take a look as soon as I can.

   It's been a while since I thought about this stuff, but I think
the reason I was keen to make the AuthzMergeRules default off was that
it more closely emulated the pre-2.4 behaviour, so that people wouldn't
be surprised to discover their 2.2 configurations weren't working
as expected.  Combined with a default OR rule that might have led, I
thought, to unanticipated security holes -- users given access to a
subdir with it's own authz config because the OR with the parent dir
short- circuited the subdir's authz.  Using AND as the default rule will
at a minimum close off that problem.

    My hunch (absent any testing; sorry!) is that a default AND will
mean such subdirs are sometimes just not available after an upgrade to 2.4
(assuming no authz config changes are made by someone who doesn't read
the release notes) because users won't have access to both the parent dir
and the subdir.  In 2.2, they'd be authorized against just the subdir's
config; here, they'll need to pass the parent's too.  (I think.)  Anyway,
I'll try to work in some testing in the next week or two.

   Regardless, this change closes a big security problem for
quick-and-dirty upgraders, I believe.  Thanks again,


GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

View raw message