httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <>
Subject Re: AuthzMergeRules blocks everything in default configuration
Date Wed, 29 Oct 2008 23:48:47 GMT
On Wed, Oct 29, 2008 at 6:17 PM, Chris Darroch <> wrote:

>  The MergeAuthzRules directive is renamed SatisfySections and
>  take three possible values, Off, All, and And.  The default is Off,
>  meaning that as directory configuration sections are merged,
>  new authz configurations replace previously merged ones.  However,
>  a directory section may specify "SatisfySections All" to force
>  its predecessor's authz to be successful as well as its own.
>  The "SatisfySections Any" option permits either the predecessor
>  or current section's authz to grant the user access.  Note that
>  the setting of SatisfySections continues to be local only to
>  the directory section it appears in; it is not inherited to
>  subsequent sections as they are merged.

I tend to prefer something closer to the old name, especially with the
Satisfy containers being optional.  IOTW the "sections" here may not
be something explicit the user can look back to.

>  The default setting of SatisfySections is Off, corresponding to
>  traditional pre-2.4 authz logic.  Within a directory section,
>  the default logic corresponds to an AND-like block (i.e., <SatisfyAll>),
>  which differs from the pre-2.4 logic whereby the first Require
>  statement to succeed authorized the request.

Good to see the behavior default to being true to the verb.

>  Legacy 2.2 configurations should, I hope, work with few or no
>  changes as a result of these revisions.  Few administrators, I hope,
>  have configurations with multiple Require directives in a section; e.g.:
>     <Directory /foo>
>         Require group shirt
>         Require group shoes
>     </Directory>

More common migration breakage might be using two different authz
providers there.

>  It also means that the following 2.4-style configuration makes
>  intuitive sense, because the negative Reject directive only has
>  meaning in an AND-like context:
>     <Directory /foo>
>         Require group shirt
>         Reject user noshoes
>     </Directory>

When do we need the negative satisfy containers? I'm having a hard
time with this one, especially with how negating Require/Reject are
interpreted inside -- it almost seems like the containers should be
dictating the verbs and you should just have some more agnostic
match-type operator with the authz providers.

Eric Covener

View raw message