Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 038B56DAE for ; Thu, 4 Aug 2011 21:52:54 +0000 (UTC) Received: (qmail 61584 invoked by uid 500); 4 Aug 2011 21:52:51 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 61313 invoked by uid 500); 4 Aug 2011 21:52:50 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 61303 invoked by uid 99); 4 Aug 2011 21:52:49 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Aug 2011 21:52:49 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of phatbuckett@gmail.com designates 209.85.215.169 as permitted sender) Received: from [209.85.215.169] (HELO mail-ey0-f169.google.com) (209.85.215.169) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 04 Aug 2011 21:52:42 +0000 Received: by eye22 with SMTP id 22so1528894eye.0 for ; Thu, 04 Aug 2011 14:52:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=gNnr6OCKW36olXF2/D0gQEKRs3dkeEIXcv1mK2asfEA=; b=kCEYkKeaeIPTVtCYwJuC5bPNxYkNlgYpIDhO0TnADN9+I49da9rt/Msy/+NONC/bcE FYnuQbnkiQKHmgntXlLdPBdKy5+sTmrBofSyhgrmFe3Pyxv9vZaHzmE7tLXNJS5tkhYe 7FX8ODWrfb1eaBLFYOE5GPBiAg5VxquCexbJE= MIME-Version: 1.0 Received: by 10.14.99.70 with SMTP id w46mr439903eef.73.1312494741769; Thu, 04 Aug 2011 14:52:21 -0700 (PDT) Received: by 10.14.119.142 with HTTP; Thu, 4 Aug 2011 14:52:21 -0700 (PDT) Date: Thu, 4 Aug 2011 14:52:21 -0700 Message-ID: From: Darren Spruell To: users@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] LimitExcept group authorization not taking effect Greetings, I have configuration that is not behaving as I'm assuming it should - suspect I'm missing a critical detail. I am using the following setup in a VirtualHost to protect access to a Mercurial web repo: WSGIProcessGroup hg AuthType Basic AuthName "Mercurial LDAP Auth" AuthBasicProvider ldap # For AD LDAPS support, requires LDAPVerifyServerCert to be disabled up above. AuthLDAPURL [redacted] AuthLDAPBindDN [redacted] AuthLDAPBindPassword [redacted] # Must be off to honor valid-user as "fallback" authorization AuthzLDAPAuthoritative Off Require valid-user AuthGroupFile /etc/httpd/auth/groups #Require group hgpushers Require group poopy ## /etc/httpd/auth/groups # Authorized to perform Mercurial push operations #hgpushers: jdoe jdoe2 hgpushers: jdoe Authentication against LDAP works correctly. Authorization to 'valid-user' works correctly in the normal case. My goal is to use LimitExcept to restrict Mercurial 'push' operations to members of an authorized group; this can be done by evaluation of the HTTP methods as described at http://mercurial.selenic.com/wiki/PublishingRepositories#Configuring_Apache. For everything I've tried though, I can still perform push operations when authenticating as a user not listed in the 'hgpushers' group in AuthGroupFile (jdoe2 in the above config case). As a test, I also modified Require to check against a non-existent group 'poopy' and my authenticated user is still authorized for 'push' operations. it seems to me that the configuration for LimitExcept as I have is not being honored. Every change to config at any level is followed by restart of daemon to apply. Logging shows the 'hg push' operation concluding with POST requests; I believe these should be denied. [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?pairs=0000000000000000000000000000000000000000-0000000000000000000000000000000000000000&cmd=between HTTP/1.1" 1 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=capabilities HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=capabilities HTTP/1.1" 130 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=heads HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=heads HTTP/1.1" 41 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=branchmap HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "GET /hg/main?cmd=branchmap HTTP/1.1" 48 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd HTTP/1.1" 495 [04/Aug/2011:14:51:04 -0700] 10.8.209.142 TLSv1 DHE-RSA-AES256-SHA "POST /hg/main?cmd=unbundle&heads=131dc47de7e0812281c3547f6d65f3de3ab4f5fd HTTP/1.1" 102 # httpd -V Server version: Apache/2.2.3 Server built: Jan 21 2009 20:31:52 Server's Module Magic Number: 20051115:3 Server loaded: APR 1.2.7, APR-Util 1.2.7 Compiled using: APR 1.2.7, APR-Util 1.2.7 Architecture: 64-bit Server MPM: Prefork threaded: no forked: yes (variable process count) Server compiled with.... -D APACHE_MPM_DIR="server/mpm/prefork" -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=128 -D HTTPD_ROOT="/etc/httpd" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_LOCKFILE="logs/accept.lock" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" # httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c # httpd -M Loaded Modules: core_module (static) mpm_prefork_module (static) http_module (static) so_module (static) auth_basic_module (shared) auth_digest_module (shared) authn_file_module (shared) authn_alias_module (shared) authn_anon_module (shared) authn_dbm_module (shared) authn_default_module (shared) authz_host_module (shared) authz_user_module (shared) authz_owner_module (shared) authz_groupfile_module (shared) authz_dbm_module (shared) authz_default_module (shared) ldap_module (shared) authnz_ldap_module (shared) include_module (shared) log_config_module (shared) logio_module (shared) env_module (shared) ext_filter_module (shared) mime_magic_module (shared) expires_module (shared) deflate_module (shared) headers_module (shared) usertrack_module (shared) setenvif_module (shared) mime_module (shared) dav_module (shared) status_module (shared) autoindex_module (shared) info_module (shared) dav_fs_module (shared) vhost_alias_module (shared) negotiation_module (shared) dir_module (shared) actions_module (shared) speling_module (shared) userdir_module (shared) alias_module (shared) rewrite_module (shared) proxy_module (shared) proxy_balancer_module (shared) proxy_ftp_module (shared) proxy_http_module (shared) proxy_connect_module (shared) cache_module (shared) suexec_module (shared) disk_cache_module (shared) file_cache_module (shared) mem_cache_module (shared) cgi_module (shared) version_module (shared) authz_ldap_module (shared) perl_module (shared) php5_module (shared) proxy_ajp_module (shared) wsgi_module (shared) ssl_module (shared) Syntax OK -- Darren Spruell phatbuckett@gmail.com --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org