httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Darren Spruell <>
Subject [users@httpd] LimitExcept group authorization not taking effect
Date Thu, 04 Aug 2011 21:52:21 GMT

I have configuration that is not behaving as I'm assuming it should -
suspect I'm missing a critical detail.

I am using the following setup in a VirtualHost to protect access to a
Mercurial web repo:

<Location /hg>
        WSGIProcessGroup hg
        AuthType Basic
        AuthName "Mercurial LDAP Auth"
        AuthBasicProvider ldap
        # For AD LDAPS support, requires LDAPVerifyServerCert to be
disabled up above.
        AuthLDAPURL [redacted]
        AuthLDAPBindDN [redacted]
        AuthLDAPBindPassword [redacted]
        # Must be off to honor valid-user as "fallback" authorization
        AuthzLDAPAuthoritative Off
        Require valid-user
        AuthGroupFile /etc/httpd/auth/groups
        <LimitExcept GET>
            #Require group hgpushers
            Require group poopy

## /etc/httpd/auth/groups
# Authorized to perform Mercurial push operations
#hgpushers: jdoe jdoe2
hgpushers: jdoe

Authentication against LDAP works correctly. Authorization to
'valid-user' works correctly in the normal case. My goal is to use
LimitExcept to restrict Mercurial 'push' operations to members of an
authorized group; this can be done by evaluation of the HTTP methods
as described at

For everything I've tried though, I can still perform push operations
when authenticating as a user not listed in the 'hgpushers' group in
AuthGroupFile (jdoe2 in the above config case). As a test, I also
modified Require to check against a non-existent group 'poopy' and my
authenticated user is still authorized for 'push' operations. it seems
to me that the configuration for LimitExcept as I have is not being
honored. Every change to config at any level is followed by restart of
daemon to apply.

Logging shows the 'hg push' operation concluding with POST requests; I
believe these should be denied.

[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?pairs=0000000000000000000000000000000000000000-0000000000000000000000000000000000000000&cmd=between
HTTP/1.1" 1
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=capabilities HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=capabilities HTTP/1.1" 130
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=heads HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=heads HTTP/1.1" 41
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=branchmap HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"GET /hg/main?cmd=branchmap HTTP/1.1" 48
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd
HTTP/1.1" 495
[04/Aug/2011:14:51:04 -0700] TLSv1 DHE-RSA-AES256-SHA
"POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd
HTTP/1.1" 102

# httpd -V
Server version: Apache/2.2.3
Server built:   Jan 21 2009 20:31:52
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

# httpd -l
Compiled in modules:

# httpd -M
Loaded Modules:
 core_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 auth_basic_module (shared)
 auth_digest_module (shared)
 authn_file_module (shared)
 authn_alias_module (shared)
 authn_anon_module (shared)
 authn_dbm_module (shared)
 authn_default_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 authz_owner_module (shared)
 authz_groupfile_module (shared)
 authz_dbm_module (shared)
 authz_default_module (shared)
 ldap_module (shared)
 authnz_ldap_module (shared)
 include_module (shared)
 log_config_module (shared)
 logio_module (shared)
 env_module (shared)
 ext_filter_module (shared)
 mime_magic_module (shared)
 expires_module (shared)
 deflate_module (shared)
 headers_module (shared)
 usertrack_module (shared)
 setenvif_module (shared)
 mime_module (shared)
 dav_module (shared)
 status_module (shared)
 autoindex_module (shared)
 info_module (shared)
 dav_fs_module (shared)
 vhost_alias_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 speling_module (shared)
 userdir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 proxy_module (shared)
 proxy_balancer_module (shared)
 proxy_ftp_module (shared)
 proxy_http_module (shared)
 proxy_connect_module (shared)
 cache_module (shared)
 suexec_module (shared)
 disk_cache_module (shared)
 file_cache_module (shared)
 mem_cache_module (shared)
 cgi_module (shared)
 version_module (shared)
 authz_ldap_module (shared)
 perl_module (shared)
 php5_module (shared)
 proxy_ajp_module (shared)
 wsgi_module (shared)
 ssl_module (shared)
Syntax OK

Darren Spruell

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message