Please excuse the verbosity... Request: mod_auth augmentation Apache Version: 1.3.22 (Changes can be made to other revs too) Files affected: src/modules/standard/mod_auth.c Structures Affected: auth_config_struct Routines Affected: groups_for_user(), check_user_access(), create_auth_dir_config() Flags Added: AuthForceGroup (boolean) Security: Normal, if flag not specified. Tightens 'valid-user' if specified.
Description I would like to propose an augmentation in the mod_auth.c module. This would help restrict the allowances of the 'valid-user' user when a group file is specified. The design would allow higher level non-authoratative modules to more easily use 'valid-user' when they authenticate with a broad authentication service and want a local group file to refine control. Of key note would be for services which auto-generate access control files. Details The need for this augmentation stems from the Front Page module (yes, I use it...sad) coupled with the auth_ldap module to provide LDAP authentication of users in Front Page. While the need originated from this arrangement, I believe it can serve a useful purpose whenever you authentication thru a high level module and pass group authentication down to mod_auth. A key reason for this arrangement would be if you used a company provided authentication scheme (like LDAP), but cannot create/control groups. An easy method of control would to be use the LDAP for user authentication and then pass group authentication down to mod_auth, using group files which you can control. The normal Front Page module builds .htaccess files with mod_auth based authentication, generating one or more sets of password and groups file for the web and subwebs. In the group file, it provides separate groups for the different classification of users, such as editors and administrators. When coupled with the auth_ldap module from rudedog.org, you can manipulate the generated .htaccess files to cause authentication for the users to hit against an LDAP database. Part of the implementation is to make the LDAP 'non-authoratative' so group access control is passed down to the mod_auth, using the generated group files from Front Page. The problem arises when you want to prevent a web site from being browseable to general users. Front Page provides this protection by setting the .htaccess file to allow allowing access to 'valid-user'. In the normal scheme, this means the user must exist in the user file. When you use a higher level authentication such as LDAP, a large user base can authenticate, even though the intent is to only allow users within the group list. Yeah, it is more of a FrontPage issue (they should use a 'require group' with their group lists). The proposal would add a new flag to the mod_auth module. This would indicate that if the user is indicated as being 'valid-user' and a group file is specified, then the user must be a valid user in any of the groups specified in the group file. This change only tightens security as it further restricts 'valid-user' and only does so when a new flag is set. Changes mod_auth.c would require the following changes, I believe... Sorry it is in generic-o diff format. I can re-post it in a better form if there is any merit to this alteration. diff mod_auth.c mod_auth_proposed.c 70a71,75 > * smackay/2002 - Added adjustment to keyword control. > * new key AuthForceGroup : valid-user must belong in a group, if a group > * file is specified. This allows higher modules who are not > * authoritative and use 'valid-user' to consult the AuthGroupFile. > * The only exception is if there are no requires. 82a88 > int auth_forcegroup; /* requires user to be in a group for 'valid-user' */ 91a98 > sec->auth_forcegroup = 0; /* smackay : normal valid-user by default */ 102a110 > /* smackay : Added AuthForceGroup : requires user to be in a group */ 115a124,128 > {"AuthForceGroup", ap_set_flag_slot, > (void *) XtOffsetOf(auth_config_rec, auth_forcegroup), > OR_AUTHCFG, FLAG, > "Set to 'on' to force a 'valid-user' user to exist in the " > "group file, if specified. If no group file is specified, this has no effect."}, 153a167 > char in_group; /* Indicator if we are defined in at least 1 group */ 154a169,170 > in_group=0; /* smackay : Set to false by default */ > 174a191 > in_group=1; 180a198,201 > /* If we are not in at least 1 group, return a NULL. */ > if (! in_group) > return NULL; > 274c295,300 < return OK; --- > if (sec->auth_forcegroup && sec->auth_grpfile) { > if (grpstatus) > return OK; > } else { > return OK; > } __________________________________________________ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com