httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: mod_fcgid - cannot get authorizer process to be started
Date Tue, 29 Sep 2009 17:34:54 GMT
On Tue, Sep 29, 2009 at 12:51 PM, Barry Scott <barry.scott@onelan.co.uk>wrote:

> Barry Scott wrote:
>
>> Jeff Trawick wrote:
>>
>>> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott <barry.scott@onelan.co.uk<mailto:
>>> barry.scott@onelan.co.uk>> wrote:
>>>
>>>    Jeff Trawick wrote:
>>>
>>>        On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
>>>        <barry.scott@onelan.co.uk <mailto:barry.scott@onelan.co.uk>
>>>        <mailto:barry.scott@onelan.co.uk
>>>        <mailto:barry.scott@onelan.co.uk>>> wrote:
>>>
>>>           The mod_fcgid page says to ask on dev I assume that this is the
>>>           right place to ask.
>>>
>>>           I'm using mod_fcgid from svn with HTTPD 2.2.
>>>
>>>           I want to use a fast CGI authorizer to allow me to control
>>>        access
>>>           based on my rules.
>>>           The authorizer needs to be a long running process - never
>>>        exits.
>>>
>>>           I know that the fcgid code is noticing the directive
>>>        because I can
>>>           change the filename
>>>           and see the error message from the sources.
>>>
>>>           But I'm at a lose as to the required to get this
>>>        configuration to
>>>           actually call my code.
>>>           mod_fcgid is not starting up the authorizer process.
>>>
>>>           I have the following fcgid specific lines in my httpd.conf
>>>        file:
>>>
>>>           ---- httpd.conf ----
>>>           ...
>>>           LoadModule fcgid_module modules/mod_fcgid.so
>>>           ...
>>>
>>>           Listen *:9000
>>>           <VirtualHost *:9000>
>>>            <Location />
>>>                Order allow,deny
>>>                Allow from all
>>>                AuthType Digest
>>>
>>>
>>>        Did you really mean Digest authentication instead of Basic
>>>        authentication?
>>>
>>>        mod_fcgid only supports Basic, AFAICT.
>>>
>>>           /* Get the user password */
>>>           if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>>>               return res;
>>>
>>>
>>>    I don't want to be an authenticator, I want to be a authorizer.
>>>    Authorizer has no need of passwords right.
>>>
>>>
>>> whoops :(
>>>
>>> yes
>>>
>>> your "require valid-user" implies that you don't need authorization; try
>>> "require valid-group" instead
>>>
>>
>> I want the users password checked and to only proceed if it is valid.
>> I also want to run the fcgi Authorizer to check that the URL being
>> access is allowed according to the logic in my Authorizer code.
>>
>
"require valid-user" means that all it takes to access this resource is a
properly authenticated user.

If mod_authz_user sees "valid-user" during the authorization stage, it
returns OK and mod_fcgid' authorization hook is not called.  You want to
take it further and also run the authorizer, since a properly authenticated
user is not good enough.  So "require valid-user" or "require user xxx" or
other checks that can be made since the user is already known can't be used.

"require valid-group" is a hack to bypass checks that the AAA modules know
how to make (require user foo, require group bar, require ldap-group ...,
etc.).  There's no provision to allow a FastCGI authorizer app to implement
a particular authorization require-ment. "require group foo" can also get
you to your authorizer (subject to what the group file module would do).  I
haven't checked if that required group name is available to your authorize.




>
>> To that end I have the following:
>>
>>   <Location />
>>       Order allow,deny
>>       Allow from all
>>
>>       # Use digest auth to check the username/password pair
>>       AuthType Digest
>>       AuthName "Manager System"
>>       # no one gets in without a valid username/password pair
>>       Require valid-user
>>
>
mod_authz_user always returns OK from authorization hook with this require


>
>>       # Use these files to find the passwd and group information
>>       AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
>>
>
not needed and maybe harmful depending on your require directive



>       AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
>>
>>       # Run the Authorizer.sh to veto URL based on the username
>>       FastCgiAuthorizer
>> /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
>>
>>   </Location>
>>
>> What triggers HTTPD to call the Authorizer.sh code?
>> Surely not the commands that control authentication checks?
>>
>
yes, the require directive; furthermore, if authorization hooks called
before mod_fcgid's think they have answered the question authoritatively,
mod_fcgid won't be called


>
>> I cannot find Require valid-group defined in the 2.2 docs.
>>
>> Do you mean I need to add:
>>
>>             Require group nosuchgroup
>>
>
> This does not work...


because mod_authz_groupfile sees your AuthGroupFile and tries to answer
based on its contents (as well as whether or not that check is authoritative
(see
http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative))?


>
>
>> And that will cause the mod_authn_user (or what ever module) to try
>> and match nosuchgroup. When it fails my Authenicator will be run
>> to see if it can handle that directive?
>>
>> Isn't this module crying out for a directive like:
>>
>>           Require fcgid-authenticater-user-is-valid
>>
>
I think so, but something appropriate for authorization, since the
mod_fcgid-driven authorization app shouldn't care how the user was
authenticated.

Mime
View raw message