httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] using multiple LimitExcept directives
Date Sun, 03 Mar 2013 21:08:42 GMT
On 04/03/2013 3:36 AM, "James Martin" <james.s.martin@gmail.com> wrote:
>
> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <icicimov@gmail.com> wrote:
> >
> > On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@gmail.com> wrote:
> >>
> >> Folks,
> >>
> >> I'm attempting to using multiple LimitExcept directives in one
> >> Location.  Basically I want to give a the "Actor" ldap group  GET &
> >> PUTT access, the "WeatherMan" ldap group only GET access, and the
> >> "Actor" ldap group PUT access.  I'm open to using either apache 2.2 or
> >> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> >> LimitExcept directives.  This is what I've tried so far:
> >>
> >
> > Can you please first check the above bold out groups for us? Is that
correct
> > or one of them should be Artist instead?
> >
>
> I realize there was a typo there, sorry about that.   I said Actor
> twice.  The groups should be Artist, Actor, and WeatherMan  Here's the
> proper text:
>
> Basically I want to give a the "Artist" ldap group  GET & PUT access,
> the "WeatherMan" ldap group only GET access, and the "Actor" ldap
> group PUT access.  I'm open to using either apache 2.2 or 2.4, as I
> see that apache 2.4 supports nesting of the Limit and LimitExcept
> directives.  This is what I've tried so far:
>
> <Location>
> <LimitExcept GET PUT>
>     Require ldap-group cn=Artist, ou=groups, o=company
> </LimitExcept>
>  <LimitExcept GET>
>         Require ldap-group cn=WeatherMan, ou=groups, o=company
>  </LimitExcept>
>  <LimitExcept PUT>
>         Require ldap-group cn=Actor, ou=groups, o=company
>  </LimitExcept>
> </Location>
>
> >>
> >> <Location "/boballcharlieputs">
> >>   AuthType Basic
> >>   AuthName "Secure Area"
> >>   AuthBasicProvider ldap
> >>    AuthLDAPURL
> >> "ldap://localhost:10389/ou=users,o=company?uid"
> >>   AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
> >>   AuthLDAPBindPassword password
> >
> >
> >> <LimitExcept GET PUT>
> >>     Require ldap-group cn=Actor, ou=groups, o=company
> >> </LimitExcept>
> >
> > From the docs:
> >
> > <LimitExcept> and </LimitExcept> are used to enclose a group of access
> > control directives which will then apply to any HTTP access method not
> > listed in the arguments
> >
>
> It is my understanding that if you have GET PUT within LimitExcept
> then you are limiting all operations *except* GET & PUT.
>
>
> > In this context, isn't your above statement actually achieving the
opposite
> > from what you want?
> >
> >>  <LimitExcept GET>
> >>         Require ldap-group cn=WeatherMan, ou=groups, o=company
> >>  </LimitExcept>
> >>  <LimitExcept PUT>
> >>         Require ldap-group cn=Actor, ou=groups, o=company
> >>  </LimitExcept>
> >> </Location>
> >>
> >> In this case Apache only processes the last LimitExcept, so only
> >> operation that is successful is the PUT by a user in the Actor ldap
> >> group.
> >>
> >>
> >> I've also attempted to nest these statements (new feature in 2.4) and
> >> apache complains:
> >>
> >> "<LimitExcept> directive specifies methods already excluded"
> >>
> >> Here is that example:
> >>
> >> <LimitExcept GET PUT>
> >>     Require ldap-group cn=Artist, ou=groups, o=bashoproserv
> >>     <LimitExcept PUT>
> >>         Require ldap-group cn=Actor, ou=groups, o=bashoproserv
> >>     </LimitExcept>
> >> </LimitExcept>
> >>
> >
> > So is it Actor or Artist or both??? Can't see Artist in the first
example...
> >
> > The docs further say:
> >
> > The <Limit> and <LimitExcept> directives may be nested. In this case,
each
> > successive level of <Limit> or <LimitExcept> directives must further
> > restrict the set of methods to which access controls apply.
> >
> > When using <Limit> or <LimitExcept> directives with the Require
directive,
> > note that the first Require to succeed authorizes the request,
regardless of
> > the presence of other Require directives.
> >
> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor,
and
> > having the above said in mind, I would try something like this:
> >
> >
> > <Limit GET PUT>
> >    Require ldap-group cn=Artist, ou=groups, o=company
> > </Limit>
> > <Limit GET>
> >
> >    Require ldap-group cn=WeatherMan, ou=groups, o=company
> > </Limit>
> > <Limit PUT>
> >
> >    Require ldap-group cn=Actor, ou=groups, o=company
> > </Limit>
> >
>
> I attempted your method and it *does* seem to work as I wanted
> (thanks!); however, my concern is as per the docs:
>
> """
> The following example applies the access control only to the methods
> POST, PUT, and DELETE, leaving all other methods unprotected:
>
> <Limit POST PUT DELETE>
>   Require valid-user
> </Limit>
> """
>
> To me that means that  GET, CONNECT, OPTIONS, PATCH, PROPFIND,
> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
> all.
Correct since those 3 are important ones so you need only some users to
access them and you dont care about the other methods. Why else would you
use limit then with Require? By default ALL methods are unprotected. So in
your case you dont need to give Artist GET access to anything, he already
has it! The point is to allow access to that user ONLY and thats where
Limit and Require come into play.

>
> It also mentions
>
> """
> A <LimitExcept> section should always be used in preference to a
> <Limit> section when restricting access, since a <LimitExcept> section
> provides protection against arbitrary methods.
> """
>
Correct BUT only if it matches your user case. Does it???
Nothing wrong with using Limit if you know exactly what you are doing.

> Perhaps I need to combine the Limit with a LimitExcept so catch all of
> the other methods not defined?
>
Sure go on and try it. Im only giving you some pointers hope you'll come up
with the solution that suits you your self.

> Thanks,
>
> - James
>
>
> >> I feel like I'm very close to getting this working, but I'm not quite
> >> grasping how to stack the LimitExcepts properly.
> >>
> >> Thanks for your help,
> >>
> >>
> >> James
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

Mime
View raw message