randy 96/12/24 11:10:32 Modified: htdocs/manual/mod mod_auth.html mod_auth_db.html mod_auth_dbm.html Log: Update docs to reflect addition of Authoritative directive. Submitted by: Dirk vanGulik Revision Changes Path 1.4 +27 -0 apache/htdocs/manual/mod/mod_auth.html Index: mod_auth.html =================================================================== RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_auth.html,v retrieving revision 1.3 retrieving revision 1.4 diff -C3 -r1.3 -r1.4 *** mod_auth.html 1996/12/02 18:14:00 1.3 --- mod_auth.html 1996/12/24 19:08:23 1.4 *************** *** 17,22 **** --- 17,23 ---- <menu> <li><A HREF="#authgroupfile">AuthGroupFile</A> <li><A HREF="#authuserfile">AuthUserFile</A> + <li><A HREF="#authauthoritative">AuthAuthoritative</A> </menu> <hr> *************** *** 69,74 **** --- 70,101 ---- document tree of the web-server; do <em>not</em> put it in the directory that it protects. Otherwise, clients will be able to download the AuthUserFile.<p> + See also <A HREF="core.html#authname">AuthName</A>, + <A HREF="core.html#authtype">AuthType</A> and + <A HREF="#authgroupfile">AuthGroupFile</A>.<p> + <hr> + <A name="authauthoritative"><h2>AuthAuthoritative</h2></A> + <!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> --> + <strong>Syntax:</strong> AuthAuthoritative < <strong> on</strong>(default) | off > <br> + <Strong>Context:</strong> directory, .htaccess<br> + <Strong>Override:</strong> AuthConfig<br> + <strong>Status:</strong> Base<br> + <strong>Module:</strong> mod_auth<p> + + Setting the AuthAuthoritative directive explicitly to <b>'off'</b> allows for both authentification and authorization to be passed on to lower level modules (as defined in the <code>Configuration</code> and <code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b> matching the supplied userID. If there is a userID and/or rule specified; the usual password and access checks will be applied and a failure will give an Authorization Required reply. + <p> + So if a userID appears in the database of more than one module; or if a valid require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting. + <p> + A common use for this is in conjection with one of the database modules; such + as <a href="mod_auth_anon.c"><code>mod_auth_db.c</code></a>, <a href="mod_auth_anon.c"><code>mod_auth_dbm.c</code></a>, + <a href="mod_auth_anon.c"><code>mod_auth_msql.c</code></a> and <a href="mod_auth_anon.c"><code>mod_auth_anon.c</code></a>. These modules supply the bulk of the user credential checking; but a few (administrator) related accesses fall through to a lower level with a well protected AuthUserFile. + <p> + <b>Default:</b> By default; control is not passed on; and an unkown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NSCA compliant behaviour. + <p> + Security: Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database such as mSQL. Make sure that the AuthUserFile is stored outside the + document tree of the web-server; do <em>not</em> put it in the directory that + it protects. Otherwise, clients will be able to download the AuthUserFile. + <p> See also <A HREF="core.html#authname">AuthName</A>, <A HREF="core.html#authtype">AuthType</A> and <A HREF="#authgroupfile">AuthGroupFile</A>.<p> 1.5 +25 -0 apache/htdocs/manual/mod/mod_auth_db.html Index: mod_auth_db.html =================================================================== RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_auth_db.html,v retrieving revision 1.4 retrieving revision 1.5 diff -C3 -r1.4 -r1.5 *** mod_auth_db.html 1996/12/02 18:14:01 1.4 --- mod_auth_db.html 1996/12/24 19:08:23 1.5 *************** *** 18,23 **** --- 18,24 ---- <menu> <li><A HREF="#authdbgroupfile">AuthDBGroupFile</A> <li><A HREF="#authdbuserfile">AuthDBUserFile</A> + <li><A HREF="#authdbauthoritative">AuthDBAuthoritative</A> </menu> <hr> *************** *** 103,108 **** --- 104,133 ---- See also <A HREF="core.html#authname">AuthName</A>, <A HREF="core.html#authtype">AuthType</A> and <A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<p> + <hr> + <A name="authdbauthoritative"><h2>AuthDBAuthoritative</h2></A> + <!--%plaintext <?INDEX {\tt AuthDBAuthoritative} directive> --> + <strong>Syntax:</strong> AuthDBAuthoritative < <strong> on</strong>(default) | off > <br> + <Strong>Context:</strong> directory, .htaccess<br> + <Strong>Override:</strong> AuthConfig<br> + <strong>Status:</strong> Base<br> + <strong>Module:</strong> mod_auth<p> + + Setting the AuthDBAuthoritative directive explicitly to <b>'off'</b> allows for both authentification and authorization to be passed on to lower level modules (as defined in the <code>Configuration</code> and <code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b> matching the supplied userID. If there is a userID and/or rule specified; the usual password and access checks will be applied and a failure will give an Authorization Required reply. + <p> + So if a userID appears in the database of more than one module; or if a valid require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting. + <p> + A common use for this is in conjection with one of the basic auth modules; such + as <a href="mod_auth.c"><code>mod_auth.c</code></a>. Whereas this DB module supplies the bulk of the user credential checking; a few (administrator) related accesses fall through to a lower level with a well protected .htpasswd file. + <p> + <b>Default:</b> By default; control is not passed on; and an unkown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NSCA compliant behaviour. + <p> + Security: Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database which might have more access interfaces. + + <p> + See also <A HREF="core.html#authname">AuthName</A>, + <A HREF="core.html#authtype">AuthType</A> and + <A HREF="#authgroupfile">AuthGroupFile</A>.<p> <!--#include virtual="footer.html" --> </BODY> 1.6 +26 -0 apache/htdocs/manual/mod/mod_auth_dbm.html Index: mod_auth_dbm.html =================================================================== RCS file: /export/home/cvs/apache/htdocs/manual/mod/mod_auth_dbm.html,v retrieving revision 1.5 retrieving revision 1.6 diff -C3 -r1.5 -r1.6 *** mod_auth_dbm.html 1996/12/10 01:19:36 1.5 --- mod_auth_dbm.html 1996/12/24 19:08:24 1.6 *************** *** 17,22 **** --- 17,23 ---- <menu> <li><A HREF="#authdbmgroupfile">AuthDBMGroupFile</A> <li><A HREF="#authdbmuserfile">AuthDBMUserFile</A> + <li><A HREF="#authdbmauthoritative">AuthDBMAuthoritative</A> </menu> <hr> *************** *** 103,108 **** --- 104,134 ---- See also <A HREF="core.html#authname">AuthName</A>, <A HREF="core.html#authtype">AuthType</A> and <A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<p> + + <hr> + <A name="authdbmauthoritative"><h2>AuthDBMAuthoritative</h2></A> + <!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> --> + <strong>Syntax:</strong> AuthDBMAuthoritative < <strong> on</strong>(default) | off > <br> + <Strong>Context:</strong> directory, .htaccess<br> + <Strong>Override:</strong> AuthConfig<br> + <strong>Status:</strong> Base<br> + <strong>Module:</strong> mod_auth<p> + + Setting the AuthDBMAuthoritative directive explicitly to <b>'off'</b> allows for both authentification and authorization to be passed on to lower level modules (as defined in the <code>Configuration</code> and <code>modules.c</code> file if there is <b>no userID</b> or <b>rule</b> matching the supplied userID. If there is a userID and/or rule specified; the usual password and access checks will be applied and a failure will give an Authorization Required reply. + <p> + So if a userID appears in the database of more than one module; or if a valid require directive applies to more than one module; then the first module will verify the credentials; and no access is passed on; regardless of the AuthAuthoritative setting. + <p> + A common use for this is in conjection with one of the basic auth modules; such + as <a href="mod_auth.c"><code>mod_auth.c</code></a>. Whereas this DBM module supplies the bulk of the user credential checking; a few (administrator) related accesses fall through to a lower level with a well protected .htpasswd file. + <p> + <b>Default:</b> By default; control is not passed on; and an unkown userID or rule will result in an Authorization Required reply. Not setting it thus keeps the system secure; and forces an NSCA compliant behaviour. + <p> + Security: Do consider the implications of allowing a user to allow fall-through in his .htaccess file; and verify that this is really what you want; Generally it is easier to just secure a single .htpasswd file, than it is to secure a database which might have more access interfaces. + + <p> + See also <A HREF="core.html#authname">AuthName</A>, + <A HREF="core.html#authtype">AuthType</A> and + <A HREF="#authgroupfile">AuthGroupFile</A>.<p> <!--#include virtual="footer.html" --> </BODY>
Modified: src CHANGES mod_auth.c mod_auth_db.c mod_auth_dbm.c Log: Add Authoritative control for authentication modules giving this same control across all supplied authentication modules. Submitted by: Dirk vanGulik Reviewed by: Chuck Murcko, Randy Terbush Revision Changes Path 1.96 +7 -0 apache/src/CHANGES Index: CHANGES =================================================================== RCS file: /export/home/cvs/apache/src/CHANGES,v retrieving revision 1.95 retrieving revision 1.96 diff -C3 -r1.95 -r1.96 *** CHANGES 1996/12/24 18:48:31 1.95 --- CHANGES 1996/12/24 19:10:28 1.96 *************** *** 1,5 **** --- 1,12 ---- Changes with Apache 1.2b3: + *) Add "Authoratative" directive for Auth modules that don't + currently have it. This gives admin control to assign authoritative + control to an authentication scheme and allow "fall through" for + those authentication modules that aren't "Authoritative" thereby + allowing multiple authentication mechanisms to be chained. + [Dirk vanGulik] + *) Remove requirement for ResourceConfig/AccessConfig if not using the three config file layout. [Randy Terbush] 1.10 +22 -1 apache/src/mod_auth.c Index: mod_auth.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth.c,v retrieving revision 1.9 retrieving revision 1.10 diff -C3 -r1.9 -r1.10 *** mod_auth.c 1996/12/01 20:28:47 1.9 --- mod_auth.c 1996/12/24 19:10:29 1.10 *************** *** 56,61 **** --- 56,67 ---- * Rob McCool * * Adapted to Apache by rst. + * + * dirkx - Added Authoratative control to allow passing on to lower + * modules if and only if the user-id is not known to this + * module. A known user with a faulty or absent password still + * causes an AuthRequired. The default is 'Authoratative', i.e. + * no control is passed along. */ #include "httpd.h" *************** *** 70,80 **** typedef struct auth_config_struct { char *auth_pwfile; char *auth_grpfile; } auth_config_rec; void *create_auth_dir_config (pool *p, char *d) { ! return pcalloc (p, sizeof(auth_config_rec)); } const char *set_auth_slot (cmd_parms *cmd, void *offset, char *f, char *t) --- 76,92 ---- typedef struct auth_config_struct { char *auth_pwfile; char *auth_grpfile; + int auth_authoritative; } auth_config_rec; void *create_auth_dir_config (pool *p, char *d) { ! auth_config_rec *sec = ! (auth_config_rec *) pcalloc (p, sizeof(auth_config_rec)); ! sec->auth_pwfile = NULL; /* just to illustrate the default really */ ! sec->auth_grpfile = NULL; /* unless you have a broken HP cc */ ! sec->auth_authoritative = 1; /* keep the fortress secure by default */ ! return sec; } const char *set_auth_slot (cmd_parms *cmd, void *offset, char *f, char *t) *************** *** 90,95 **** --- 102,111 ---- (void*)XtOffsetOf(auth_config_rec,auth_pwfile), OR_AUTHCFG, TAKE12, NULL }, { "AuthGroupFile", set_auth_slot, (void*)XtOffsetOf(auth_config_rec,auth_grpfile), OR_AUTHCFG, TAKE12, NULL }, + { "Auth_MSQL_Authoritative", set_flag_slot, + (void*)XtOffsetOf(auth_config_rec,auth_authoritative), + OR_AUTHCFG, FLAG, + "Set to 'no' to allow access control to be passed along to lower modules if the UserID is not known to this module" }, { NULL } }; *************** *** 180,185 **** --- 196,203 ---- return DECLINED; if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) { + if (!(sec->auth_authoritative)) + return DECLINED; sprintf(errstr,"user %s not found",c->user); log_reason (errstr, r->uri, r); note_basic_auth_failure (r); *************** *** 252,257 **** --- 270,278 ---- if (!method_restricted) return OK; + + if (!(sec -> auth_authoritative)) + return DECLINED; note_basic_auth_failure (r); return AUTH_REQUIRED; 1.7 +21 -2 apache/src/mod_auth_db.c Index: mod_auth_db.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_db.c,v retrieving revision 1.6 retrieving revision 1.7 diff -C3 -r1.6 -r1.7 *** mod_auth_db.c 1996/12/01 20:28:49 1.6 --- mod_auth_db.c 1996/12/24 19:10:29 1.7 *************** *** 72,77 **** --- 72,83 ---- * On some BSD systems (e.g. FreeBSD and NetBSD) dbm is automatically * mapped to Berkeley DB. You can use either mod_auth_dbm or * mod_auth_db. The latter makes it more obvious that it's Berkeley. + * + * dirkx - Added Authoratative control to allow passing on to lower + * modules if and only if the user-id is not known to this + * module. A known user with a faulty or absent password still + * causes an AuthRequired. The default is 'Authoratative', i.e. + * no control is passed along. */ #include "httpd.h" *************** *** 85,96 **** char *auth_dbpwfile; char *auth_dbgrpfile; ! } db_auth_config_rec; void *create_db_auth_dir_config (pool *p, char *d) { ! return pcalloc (p, sizeof(db_auth_config_rec)); } const char *set_db_slot (cmd_parms *cmd, void *offset, char *f, char *t) --- 91,107 ---- char *auth_dbpwfile; char *auth_dbgrpfile; ! int auth_dbauthoritative; } db_auth_config_rec; void *create_db_auth_dir_config (pool *p, char *d) { ! db_auth_config_rec *sec ! = (db_auth_config_rec *)pcalloc (p, sizeof(db_auth_config_rec)); ! sec->auth_dbpwfile = NULL; ! sec->auth_dbgrpfile = NULL; ! sec->auth_dbauthoritative=1; /* fortress is secure by default */ ! return sec; } const char *set_db_slot (cmd_parms *cmd, void *offset, char *f, char *t) *************** *** 114,119 **** --- 125,134 ---- { "AuthGroupFile", set_db_slot, (void*)XtOffsetOf(db_auth_config_rec, auth_dbgrpfile), OR_AUTHCFG, TAKE12, NULL }, + { "AuthDBAuthoratative", set_flag_slot, + (void*)XtOffsetOf(db_auth_config_rec, auth_dbauthoritative), + OR_AUTHCFG, FLAG, + "Set to 'no' to allow access control to be passed along to lower modules if the userID is not known to this module" }, { NULL } }; *************** *** 184,189 **** --- 199,206 ---- return DECLINED; if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) { + if (!(sec -> auth_dbauthoritative)) + return DECLINED; sprintf(errstr,"DB user %s not found", c->user); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); *************** *** 234,239 **** --- 251,258 ---- char *v; if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) { + if (!(sec->auth_dbauthoritative)) + return DECLINED: sprintf(errstr,"user %s not in DB group file %s", user, sec->auth_dbgrpfile); log_reason (errstr, r->filename, r); 1.11 +22 -1 apache/src/mod_auth_dbm.c Index: mod_auth_dbm.c =================================================================== RCS file: /export/home/cvs/apache/src/mod_auth_dbm.c,v retrieving revision 1.10 retrieving revision 1.11 diff -C3 -r1.10 -r1.11 *** mod_auth_dbm.c 1996/12/01 20:28:51 1.10 --- mod_auth_dbm.c 1996/12/24 19:10:30 1.11 *************** *** 56,61 **** --- 56,67 ---- * Rob McCool & Brian Behlendorf. * * Adapted to Apache by rst. + * + * dirkx - Added Authoratative control to allow passing on to lower + * modules if and only if the user-id is not known to this + * module. A known user with a faulty or absent password still + * causes an AuthRequired. The default is 'Authoratative', i.e. + * no control is passed along. */ #include "httpd.h" *************** *** 69,80 **** char *auth_dbmpwfile; char *auth_dbmgrpfile; } dbm_auth_config_rec; void *create_dbm_auth_dir_config (pool *p, char *d) { ! return pcalloc (p, sizeof(dbm_auth_config_rec)); } const char *set_dbm_slot (cmd_parms *cmd, void *offset, char *f, char *t) --- 75,94 ---- char *auth_dbmpwfile; char *auth_dbmgrpfile; + int auth_dbmauthoritative; } dbm_auth_config_rec; void *create_dbm_auth_dir_config (pool *p, char *d) { ! dbm_auth_config_rec *sec ! = (dbm_auth_config_rec *)pcalloc (p, sizeof(dbm_auth_config_rec)); ! ! sec->auth_dbmpwfile = NULL; ! sec->auth_dbmgrpfile = NULL; ! sec->auth_dbmauthoritative = 1; /* fortress is secure by default */ ! ! return sec; } const char *set_dbm_slot (cmd_parms *cmd, void *offset, char *f, char *t) *************** *** 98,103 **** --- 112,120 ---- { "AuthGroupFile", set_dbm_slot, (void*)XtOffsetOf(dbm_auth_config_rec, auth_dbmgrpfile), OR_AUTHCFG, TAKE12, NULL }, + { "AuthDBMAuthoritative", set_flag_slot, + (void*)XtOffsetOf(dbm_auth_config_rec, auth_dbmauthoritative), + OR_AUTHCFG, FLAG, "Set to 'no' to allow access control to be passed along to lower modules, if the UserID is not known in this module" }, { NULL } }; *************** *** 170,175 **** --- 187,194 ---- return DECLINED; if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) { + if (!(sec->auth_dbmauthoritative)) + return DECLINED; sprintf(errstr,"DBM user %s not found", c->user); log_reason (errstr, r->filename, r); note_basic_auth_failure (r); *************** *** 220,225 **** --- 239,246 ---- char *v; if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) { + if (!(sec->auth_dbmauthoritative)) + return DECLINED; sprintf(errstr,"user %s not in DBM group file %s", user, sec->auth_dbmgrpfile); log_reason (errstr, r->filename, r);