httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Torsten Krah <krah...@gmail.com>
Subject Re: [users@httpd] [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType
Date Thu, 15 Mar 2018 15:10:14 GMT
> Lots of things could be better. To me it is clear that the overall
> system expects an AuthType to be set if you will be doing authn and
> authz.

Thx for clarification - this was at least not clear to me.

> 
> The error message is one indication of that

But it appears only if the authorization backend does deny the access -
if it let you pass, you won't get any error message.
So its difficult to "know" that you should configure it.

> 
> IIUC, a normal authentication provider would check the configured
> authtype. So it would not be ideal for Lua to programatically
> configure it just because the hook has been implemented by a script.

Hm - the lua authz provider here:

https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luaauthzprovider

does not check that, neither any of the other examples there.
So if i use that *normal* one from the example there and tweak it to my
needs i would not know what other providers in general would do -
*normal* makes assumptions about httpd internals on other places which
not anyone has.
Coming from a user perspective which wants to use the things there its
hard to *know* such things - if you're a familiar httpd developer of
cause it seems clear to you.

...
This can be used to implement arbitrary authentication and authorization
checking.
...

To sum it up:

I should set AuthType if i am using some of those handlers, correct?
And do we agree that the docs should mention that?

> 
> > And i am curious - why its dangerous? If it is dangerous - shouldn't the
> > docs have some note about this added?
> > Reading them i was under the impression - and because httpd does not
> > bail about it - that its not needed using the lua handlers.
> 
> To me It's dangerous because to me it looks like
> unintended/undesigned/undefined config/behavior in the area of access
> control and that error message is the hint.

That sounds feasible - but to users of httpd + mod_lua which just read
the docs and does not study the code of other providers - how should
they know that this is a undefined config / behaviour.

The examples and docs imho should mention that, shouldn't it?

And wouldn't it be a good idea to let httpd configtest fail if those
auth handlers are used but no AuthType is set - just to omit undefined
behaviour?

kind regards

Torsten

Mime
View raw message