+++ /dev/null
-v1.0.2 (Jan Wolter - not yet released)
-------------------------------------
- * Adding copyright and Apache Version 2.0 license
-
-v1.0.1 (Jan Wolter - Aug 6, 2008)
-------------------------------------
- * Delete various logging statements that were really just there for
- debugging and should have been removed sooner.
-
- * If there is an '@' in the user's login name, strip off that and anything
- after it. An '@' sign is never legal in an unix login name, and some
- authentication modules, like mod_auth_kerb, append an "@domain" to the
- user's login name.
-
- Both of the above modifications are inspired by patches made by Ken Lalonde
- <ken at globalremit dot com>.
-
- * Included "http_request.h" header file to surpress a harmless compile-time
- warning.
-
-v1.0.0 (Jan Wolter - Feb 19, 2006)
-------------------------------------
- * Original release
+++ /dev/null
-How to install mod_authz_unixgroup.c into Apache:
-
-NOTES:
-
- * There are two ways of installing mod_authz_unixgroup.
-
- (1) You can statically link it with Apache. This requires rebuilding
- Apache in such a way that mod_authz_unixgroup will be compiled in.
-
- (2) You can make mod_authz_unixgroup a dynamically loaded module. If
- your Apache has been built to support dynamically loaded modules
- you can do this without rebuilding Apache, so it is pretty easy.
- Performance may be slightly worse with this option. For information
- on dynamically loaded modules see http://www.apache.org/docs/dso.html
-
- Instructions for both options are given here.
-
- * There is also documentation in the README file. If you find this document
- unclear, reading that may help.
-
-
-INSTALL METHOD A: Dynamically Linking Mod_authz_unixgroup using apxs:
----------------------------------------------------------------------
-
-Step 1:
- Ensure that your Apache server is configured to handle dynamically
- loaded modules. To check this, run Apache server with the -l command
- flag, like
-
- httpd -l
-
- If mod_so.c is one of the compiled-in modules, then you are ready
- to go.
-
-Step 2:
- Compile the module using the following command in the
- mod_authz_unixgroup distribution directory:
-
- apxs -c mod_authz_unixgroup.c
-
- 'Apxs' is the Apache extension tool. It is part of the standard
- Apache installation. If you don't have it, then your Apache server
- is probably not set up for handling dynamically loaded modules.
- This should create a file named 'mod_authz_unixgroup.so'.
-
-Step 3:
- Install the module. Apxs can do this for you too. Do the following
- command (as root so you can write to Apache's directories and config
- files):
-
- apxs -i -a mod_authz_unixgroup.la
-
- This will create mod_authz_unixgroup.so and copy it into the proper
- place, and add appropriate AddModule and LoadModule commands to the
- configuration files. (Actually, it may get the LoadModule command
- wrong. See below.)
-
-Step 4:
- Go to the CONFIGURATION instructions below.
-
-
-INSTALL METHOD B: Statically Linking
-------------------------------------
-
-Step 1:
- Read the instructions on how to configure the Apache server in the
- INSTALL file provided with the Apache source.
-
-Step 2:
- When you run the ./configure script, include an --with-module flag,
- giving the full pathname to the mod_authz_unixgroup.c file in this
- distribution. For example, if you have unpacked this distribution
- in /usr/local/src/mod_authz_unixgroup and are building Apache for
- installation in /usr/local/apache, you might do:
-
- ./configure --prefix=/usr/local/apache \
- --with-module=aaa:/usr/local/src/mod_authz_unixgroup/mod_authz_unixgroup.c
-
- This will copy the mod_authz_unixgroup.c file into the correct place in
- the Apache source tree and set things up to link it in.
-
-Step 3:
- Type "make" to compile Apache and "make install" to install it.
-
-Step 4:
- Go to the CONFIGURATION instructions below.
-
-
-CONFIGURATION:
---------------
-
-Mod_authz_unixgroup is pretty simple to use. First, you need to enable it
-for whatever directory you want to use it in, by inserting the following
-directive either in a .htaccess file in the directory or a <Directory> block
-in the httpd.conf file:
-
- AuthzUnixgroup on
-
-Second, you will need a require directive like
-
- Require group admin
-or
- Require group students teachers staff
-
-Obviously this only makes sense in a directory where you are doing
-authentication. This could be any kind of authentication, but it makes
-most sense if you are using it in combination with authentication out of
-the unix password file, perhaps using mod_auth_external together with
-pwauth, or mod_auth_shadow. The "Require group" directive will then
-cause mod_authz_unixgroup to check if the user is in one of the groups
-listed, and reject the authentication if they are not. A user is considered
-to be in a group if either (1) the group is the user's primary group
-identified by it's gid number in /etc/passwd, or (2) the group is listed
-in /etc/group and the user id is listed as a member of that group.
-
-If you are authenticating out of something other than the unix password
-database, then this can be used, but the effect is a bit odd. To pass
-the "Require group" test, there must (1) exist a unix account with the same
-name as the account the user authenticated in, and (2) that unix account must
-be in one of the unix groups listed on the Require line.
-
-It is also possible to list groups by gid number instead of name, like
-
- Require group 10
-
-would be equivalent to "Require group admin" if the gid listed for the group
-admin in /etc/group is 10.
-
-If mod_authz_owner is enabled in your httpd, then that will work with
-mod_authz_unixgroup to check access based on file groups. For example if
-we do:
-
- AuthzUnixgroup on
- Require file-group
-
-Then a user will be able to access a file if and only if that file is owned
-by a group of which the user is a member.
-
-By default, mod_authz_unixgroup is authoritative. If you want to use more
-than one group checker, like mod_authz_unixgroup together with
-mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non-
-authoritative, so that if one fails, the other will be tried. You can
-make mod_authz_unixgroup non-authoritative by saying:
-
- AuthzUnixgroupAuthoritative off
+++ /dev/null
-
- Apache License
- Version 2.0, January 2004
- http://www.apache.org/licenses/
-
- TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
- 1. Definitions.
-
- "License" shall mean the terms and conditions for use, reproduction,
- and distribution as defined by Sections 1 through 9 of this document.
-
- "Licensor" shall mean the copyright owner or entity authorized by
- the copyright owner that is granting the License.
-
- "Legal Entity" shall mean the union of the acting entity and all
- other entities that control, are controlled by, or are under common
- control with that entity. For the purposes of this definition,
- "control" means (i) the power, direct or indirect, to cause the
- direction or management of such entity, whether by contract or
- otherwise, or (ii) ownership of fifty percent (50%) or more of the
- outstanding shares, or (iii) beneficial ownership of such entity.
-
- "You" (or "Your") shall mean an individual or Legal Entity
- exercising permissions granted by this License.
-
- "Source" form shall mean the preferred form for making modifications,
- including but not limited to software source code, documentation
- source, and configuration files.
-
- "Object" form shall mean any form resulting from mechanical
- transformation or translation of a Source form, including but
- not limited to compiled object code, generated documentation,
- and conversions to other media types.
-
- "Work" shall mean the work of authorship, whether in Source or
- Object form, made available under the License, as indicated by a
- copyright notice that is included in or attached to the work
- (an example is provided in the Appendix below).
-
- "Derivative Works" shall mean any work, whether in Source or Object
- form, that is based on (or derived from) the Work and for which the
- editorial revisions, annotations, elaborations, or other modifications
- represent, as a whole, an original work of authorship. For the purposes
- of this License, Derivative Works shall not include works that remain
- separable from, or merely link (or bind by name) to the interfaces of,
- the Work and Derivative Works thereof.
-
- "Contribution" shall mean any work of authorship, including
- the original version of the Work and any modifications or additions
- to that Work or Derivative Works thereof, that is intentionally
- submitted to Licensor for inclusion in the Work by the copyright owner
- or by an individual or Legal Entity authorized to submit on behalf of
- the copyright owner. For the purposes of this definition, "submitted"
- means any form of electronic, verbal, or written communication sent
- to the Licensor or its representatives, including but not limited to
- communication on electronic mailing lists, source code control systems,
- and issue tracking systems that are managed by, or on behalf of, the
- Licensor for the purpose of discussing and improving the Work, but
- excluding communication that is conspicuously marked or otherwise
- designated in writing by the copyright owner as "Not a Contribution."
-
- "Contributor" shall mean Licensor and any individual or Legal Entity
- on behalf of whom a Contribution has been received by Licensor and
- subsequently incorporated within the Work.
-
- 2. Grant of Copyright License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- copyright license to reproduce, prepare Derivative Works of,
- publicly display, publicly perform, sublicense, and distribute the
- Work and such Derivative Works in Source or Object form.
-
- 3. Grant of Patent License. Subject to the terms and conditions of
- this License, each Contributor hereby grants to You a perpetual,
- worldwide, non-exclusive, no-charge, royalty-free, irrevocable
- (except as stated in this section) patent license to make, have made,
- use, offer to sell, sell, import, and otherwise transfer the Work,
- where such license applies only to those patent claims licensable
- by such Contributor that are necessarily infringed by their
- Contribution(s) alone or by combination of their Contribution(s)
- with the Work to which such Contribution(s) was submitted. If You
- institute patent litigation against any entity (including a
- cross-claim or counterclaim in a lawsuit) alleging that the Work
- or a Contribution incorporated within the Work constitutes direct
- or contributory patent infringement, then any patent licenses
- granted to You under this License for that Work shall terminate
- as of the date such litigation is filed.
-
- 4. Redistribution. You may reproduce and distribute copies of the
- Work or Derivative Works thereof in any medium, with or without
- modifications, and in Source or Object form, provided that You
- meet the following conditions:
-
- (a) You must give any other recipients of the Work or
- Derivative Works a copy of this License; and
-
- (b) You must cause any modified files to carry prominent notices
- stating that You changed the files; and
-
- (c) You must retain, in the Source form of any Derivative Works
- that You distribute, all copyright, patent, trademark, and
- attribution notices from the Source form of the Work,
- excluding those notices that do not pertain to any part of
- the Derivative Works; and
-
- (d) If the Work includes a "NOTICE" text file as part of its
- distribution, then any Derivative Works that You distribute must
- include a readable copy of the attribution notices contained
- within such NOTICE file, excluding those notices that do not
- pertain to any part of the Derivative Works, in at least one
- of the following places: within a NOTICE text file distributed
- as part of the Derivative Works; within the Source form or
- documentation, if provided along with the Derivative Works; or,
- within a display generated by the Derivative Works, if and
- wherever such third-party notices normally appear. The contents
- of the NOTICE file are for informational purposes only and
- do not modify the License. You may add Your own attribution
- notices within Derivative Works that You distribute, alongside
- or as an addendum to the NOTICE text from the Work, provided
- that such additional attribution notices cannot be construed
- as modifying the License.
-
- You may add Your own copyright statement to Your modifications and
- may provide additional or different license terms and conditions
- for use, reproduction, or distribution of Your modifications, or
- for any such Derivative Works as a whole, provided Your use,
- reproduction, and distribution of the Work otherwise complies with
- the conditions stated in this License.
-
- 5. Submission of Contributions. Unless You explicitly state otherwise,
- any Contribution intentionally submitted for inclusion in the Work
- by You to the Licensor shall be under the terms and conditions of
- this License, without any additional terms or conditions.
- Notwithstanding the above, nothing herein shall supersede or modify
- the terms of any separate license agreement you may have executed
- with Licensor regarding such Contributions.
-
- 6. Trademarks. This License does not grant permission to use the trade
- names, trademarks, service marks, or product names of the Licensor,
- except as required for reasonable and customary use in describing the
- origin of the Work and reproducing the content of the NOTICE file.
-
- 7. Disclaimer of Warranty. Unless required by applicable law or
- agreed to in writing, Licensor provides the Work (and each
- Contributor provides its Contributions) on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
- implied, including, without limitation, any warranties or conditions
- of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
- PARTICULAR PURPOSE. You are solely responsible for determining the
- appropriateness of using or redistributing the Work and assume any
- risks associated with Your exercise of permissions under this License.
-
- 8. Limitation of Liability. In no event and under no legal theory,
- whether in tort (including negligence), contract, or otherwise,
- unless required by applicable law (such as deliberate and grossly
- negligent acts) or agreed to in writing, shall any Contributor be
- liable to You for damages, including any direct, indirect, special,
- incidental, or consequential damages of any character arising as a
- result of this License or out of the use or inability to use the
- Work (including but not limited to damages for loss of goodwill,
- work stoppage, computer failure or malfunction, or any and all
- other commercial damages or losses), even if such Contributor
- has been advised of the possibility of such damages.
-
- 9. Accepting Warranty or Additional Liability. While redistributing
- the Work or Derivative Works thereof, You may choose to offer,
- and charge a fee for, acceptance of support, warranty, indemnity,
- or other liability obligations and/or rights consistent with this
- License. However, in accepting such obligations, You may act only
- on Your own behalf and on Your sole responsibility, not on behalf
- of any other Contributor, and only if You agree to indemnify,
- defend, and hold each Contributor harmless for any liability
- incurred by, or claims asserted against, such Contributor by reason
- of your accepting any such warranty or additional liability.
-
- END OF TERMS AND CONDITIONS
-
- APPENDIX: How to apply the Apache License to your work.
-
- To apply the Apache License to your work, attach the following
- boilerplate notice, with the fields enclosed by brackets "[]"
- replaced with your own identifying information. (Don't include
- the brackets!) The text should be enclosed in the appropriate
- comment syntax for the file format. We also recommend that a
- file or class name and description of purpose be included on the
- same "printed page" as the copyright notice for easier
- identification within third-party archives.
-
- Copyright [yyyy] [name of copyright owner]
-
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
+++ /dev/null
-Mod_authz_unixgroup
-
- Copyright 2008 Jan Wolter
-
- This product includes software developed by Jan Wolter.
-
- This product includes software developed at
- The Apache Software Foundation (http://www.apache.org/).
+++ /dev/null
- Mod_Authz_Unixgroup version 1.0.1
-
- Author: Jan Wolter
- Website: http://www.unixpapa.com/mod_authz_unixgroup/
- Requires: Apache 2.1 or later on a Unix server
-
-Mod_Authz_Unixgroup is a unix group access control modules for Apache 2.1 and
-later. If you are having users authenticate with real Unix login ID over the
-net, using something like my mod_authnz_external/pwauth combination, and you
-want to do access control based on unix group membership, then
-mod_authz_unixgroup is exactly what you need.
-
-Let's say that you were using this with mod_authnz_external and pwauth. Your
-.htaccess file for a protected directory would probably start with the
-following directives:
-
- AuthType Basic
- AuthName mysite
- AuthBasicProvider external
- AuthExternal pwauth
-
-That would cause mod_auth_basic and mod_authnz_external to do authentication
-based on the Unix passwd database. Mod_Authz_Unixgroup would come into play
-if you wanted to further restrict access to specific Unix groups. You might
-append the following directives:
-
- AuthzUnixgroup on
- Require group staff admin
-
-This would allow only access to accounts in the 'staff' or 'admin' unix groups.
-You can alternately specify groups by their gid numbers instead of their names.
-
-Or you could use mod_authz_unixgroup together with the standard apache module
-mod_authz_owner to do something like:
-
- Require file-group
-
-This would allow access to the page, only the user was a member of the unix
-group that owns the file.
-
-Though it makes the most sense to use this with unix passwd authentication,
-it can be used with other databases. In that case it would grant access if,
-(1) the name the user authenticated with exactly matched the name of a real
-unix account on the server, and (2) that real unix account was in one of the
-required groups. However, I think this would be a pretty senseless way to
-use this module. I expect that it will really only be used by user of
-mod_authnz_external/pwauth.
-
-Some authentication modules, like mod_auth_kerb, use usernames that have
-domains appended to them, like "whomever@krb.ncsu.edu". In such cases,
-mod_authz_unixgroup will take the part before the @-sign as the username
-and ignore the rest.
-
-Mod_authnz_external is available from:
- http://www.unixpapa.com/mod_auth_external/
-
-Pwauth is available from:
- http://www.unixpapa.com/pwauth/
-
-It might also be possible to use this with mod_auth_shadow, expecially if a
-authn/authz version of that is ever released.
+++ /dev/null
-/* Copyright 2008 Jan Wolter - See LICENSE and NOTICE */
-
-#include "apr_lib.h"
-
-#include "ap_config.h"
-#include "ap_provider.h"
-#include "mod_auth.h"
-
-#define APR_WANT_STRFUNC
-#include "apr_want.h"
-#include "apr_strings.h"
-
-#include "httpd.h"
-#include "http_config.h"
-#include "http_core.h"
-#include "http_log.h"
-#include "http_protocol.h"
-#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/
-#if HAVE_PWD_H
-#include <pwd.h>
-#endif
-#if HAVE_GRP_H
-#include <grp.h>
-#endif
-#if APR_HAVE_UNISTD_H
-#include <unistd.h>
-#endif
-
-/*
- * Structure for the module itself. The actual definition of this structure
- * is at the end of the file.
- */
-module AP_MODULE_DECLARE_DATA authz_unixgroup_module;
-
-/*
- * Data type for per-directory configuration
- */
-
-typedef struct
-{
- int enabled;
- int authoritative;
-
-} authz_unixgroup_dir_config_rec;
-
-
-/*
- * Creator for per-dir configurations. This is called via the hook in the
- * module declaration to allocate and initialize the per-directory
- * configuration data structures declared above.
- */
-
-static void *create_authz_unixgroup_dir_config(apr_pool_t *p, char *d)
-{
- authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
- apr_palloc(p, sizeof(authz_unixgroup_dir_config_rec));
-
- dir->enabled= 0;
- dir->authoritative= 1; /* strong by default */
-
- return dir;
-}
-
-
-/*
- * Config file commands that this module can handle
- */
-
-static const command_rec authz_unixgroup_cmds[] =
-{
- AP_INIT_FLAG("AuthzUnixgroup",
- ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, enabled),
- OR_AUTHCFG,
- "Set to 'on' to enable unix group checking"),
-
- AP_INIT_FLAG("AuthzUnixgroupAuthoritative",
- ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, authoritative),
- OR_AUTHCFG,
- "Set to 'off' to allow access control to be passed along to lower "
- "modules if this module can't confirm access rights" ),
-
- { NULL }
-};
-
-
-/* Check if the named user is in the given list of groups. The list of
- * groups is a string with groups separated by white space. Group ids
- * can either be unix group names or numeric group id numbers. There must
- * be a unix login corresponding to the named user.
- */
-
-static int check_unix_group(request_rec *r, const char *grouplist)
-{
- char **p;
- struct group *grp;
- char *user= r->user;
- char *w, *at;
-
- /* Strip @ sign and anything following it from the username. Some
- * authentication modules, like mod_auth_kerb like appending such
- * stuff to user names, but an @ sign is never legal in a unix login
- * name, so it should be safe to always discard such stuff.
- */
- if ((at= strchr(user, '@')) != NULL) *at= '\0';
-
- /* Get info about login */
- struct passwd *pwd= getpwnam(user);
- if (pwd == NULL)
- {
- /* No such user - forget it */
- if (at != NULL) *at= '@';
- return 0;
- }
-
- /* Loop through list of groups passed in */
- while (*grouplist != '\0')
- {
- w= ap_getword_white(r->pool, &grouplist);
- if (apr_isdigit(w[0]))
- {
- /* Numeric group id */
- int gid= atoi(w);
-
- /* Check if it matches the user's primary group */
- if (gid == pwd->pw_gid)
- {
- if (at != NULL) *at= '@';
- return 1;
- }
-
- /* Get list of group members for numeric group id */
- grp= getgrgid(gid);
- }
- else
- {
- /* Get gid and list of group members for group name */
- grp= getgrnam(w);
- /* Check if gid of this group matches user's primary gid */
- if (grp != NULL && grp->gr_gid == pwd->pw_gid)
- {
- if (at != NULL) *at= '@';
- return 1;
- }
- }
-
- /* Walk through list of members, seeing if any match user login */
- if (grp != NULL)
- for (p= grp->gr_mem; *p != NULL; p++)
- {
- if (!strcmp(user, *p))
- {
- if (at != NULL) *at= '@';
- return 1;
- }
- }
- }
-
- /* Didn't find any matches, flunk him */
- if (at != NULL) *at= '@';
- return 0;
-}
-
-
-static int authz_unixgroup_check_user_access(request_rec *r)
-{
- authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
- ap_get_module_config(r->per_dir_config, &authz_unixgroup_module);
-
- int m= r->method_number;
- int required_group= 0;
- register int x;
- const char *t, *w;
- const apr_array_header_t *reqs_arr= ap_requires(r);
- const char *filegroup= NULL;
- require_line *reqs;
-
- /* If not enabled, pass */
- if ( !dir->enabled ) return DECLINED;
-
- /* If there are no Require arguments, pass */
- if (!reqs_arr) return DECLINED;
- reqs= (require_line *)reqs_arr->elts;
-
- /* Loop through the "Require" argument list */
- for(x= 0; x < reqs_arr->nelts; x++)
- {
- if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue;
-
- t= reqs[x].requirement;
- w= ap_getword_white(r->pool, &t);
-
- /* The 'file-group' directive causes mod_authz_owner to store the
- * group name of the file we are trying to access in a note attached
- * to the request. It's our job to decide if the user actually is
- * in that group. If the note is missing, we just ignore it.
- * Probably mod_authz_owner is not installed.
- */
- if ( !strcasecmp(w, "file-group"))
- {
- filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
- if (filegroup == NULL) continue;
- }
-
- if ( !strcmp(w,"group") || filegroup != NULL)
- {
- required_group= 1;
-
- if (filegroup)
- {
- /* Check if user is in the group that owns the file */
- if (check_unix_group(r,filegroup))
- return OK;
- }
- else if (t[0])
- {
- /* Pass rest of require line to authenticator */
- if (check_unix_group(r,t))
- return OK;
- }
- }
- }
-
- /* If we didn't see a 'require group' or aren't authoritive, decline */
- if (!required_group || !dir->authoritative)
- return DECLINED;
-
- /* Authentication failed and we are authoritive, declare unauthorized */
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "access to %s failed, reason: user %s not allowed access",
- r->uri, r->user);
-
- ap_note_basic_auth_failure(r);
- return HTTP_UNAUTHORIZED;
-}
-
-static void authz_unixgroup_register_hooks(apr_pool_t *p)
-{
- ap_hook_auth_checker(authz_unixgroup_check_user_access, NULL, NULL,
- APR_HOOK_MIDDLE);
-}
-
-
-module AP_MODULE_DECLARE_DATA authz_unixgroup_module = {
- STANDARD20_MODULE_STUFF,
- create_authz_unixgroup_dir_config, /* create per-dir config */
- NULL, /* merge per-dir config */
- NULL, /* create per-server config */
- NULL, /* merge per-server config */
- authz_unixgroup_cmds, /* command apr_table_t */
- authz_unixgroup_register_hooks /* register hooks */
-};
projects / apache-authnz-external / commitdiff