William A. Rowe, Jr. wrote:
I've been working with the 2.4 authn/z stuff a bit lately and
what I keep tripping over is that the default authorization merge rule
uses OR logic. For example, if I enable mod_access_compat and
put in a traditional:
I wonder if anyone would offer a fastfeather talk next week on wed or
thurs - it's only 15 minutes - to introduce what's upcoming in 2.4?
I won't be there, but here's a recap of the issue for discussion.
(Caveat: I may be missing something important!)
With 2.2 and prior versions, one can do something like:
<Directory /htdocs>
Require valid-user
</Directory>
<Directory /htdocs/admin>
Require user admin
</Directory>
The logic which is then applied is:
1) For all requests under /htdocs, except those under /htdocs/admin,
require any valid user.
2) For all requests under /htdocs/admin, require the "admin" user.
With 2.4, unless I'm missing something, the same configuration
produces the logic:
1) For all requests under /htdocs, except those under /htdocs/admin,
require any valid user.
2) For all requests under /htdocs/admin, require any valid user OR
require the user "admin". Of course this grants any valid user access.
To get the old behaviour, you seem to need to add
"AuthzMergeRules Off" to the second <Directory>. I just tested
versions of this configuration with 2.2 and 2.4 and I think I'm
describing the situation correctly. Assuming I am, I fear this
will surprise a lot of people who think they've secured their
systems after upgrading. It certainly caught me short.
Perhaps the default AuthzMergeRules setting should be Off rather
than On, at least when merging across configuration blocks?
Chris.
--
GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263 E4DE C8E3 FA36 366A 375B
