From: jan@unixpapa.com Date: Thu, 6 Oct 2011 18:50:53 +0000 (+0000) Subject: Apache 2.4 compatibility X-Git-Tag: mod_authnz_external-3.3.1~8 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f82f03f71334ebb175f33068dc9b2f5674892fd0;p=apache-authnz-external Apache 2.4 compatibility --- diff --git a/mod_authz_unixgroup/CHANGES b/mod_authz_unixgroup/CHANGES index 2b3682c..8e684ef 100644 --- a/mod_authz_unixgroup/CHANGES +++ b/mod_authz_unixgroup/CHANGES @@ -1,8 +1,12 @@ -v1.0.3 (Jan Wolter - ) +v1.1.0 (Jan Wolter - ) +----------------------------------- + * Revised to work with Apache 2.4. + +v1.0.3 (Jan Wolter - Oct 6, 2011) ------------------------------------ * Allow group names to be quoted, so that you can have group names with - spaces in them. This change was suggested by David Homborg. Not yet - tested. + spaces in them. This change was suggested by David Homborg. + * Document updated with references to versions for Apache 2.4. v1.0.2 (Jan Wolter - May 21, 2009) ------------------------------------ diff --git a/mod_authz_unixgroup/INSTALL b/mod_authz_unixgroup/INSTALL index bf5f6f5..f4419a7 100644 --- a/mod_authz_unixgroup/INSTALL +++ b/mod_authz_unixgroup/INSTALL @@ -2,6 +2,12 @@ How to install mod_authz_unixgroup.c into Apache: NOTES: + * Different versions of Apache require different versions of + mod_authz_unixgroup: + + Apache 2.2.x requires mod_authz_unixgroup 1.0.x + Apache 2.4.x requires mod_authz_unixgroup 1.1.x + * There are two ways of installing mod_authz_unixgroup. (1) You can statically link it with Apache. This requires rebuilding diff --git a/mod_authz_unixgroup/README b/mod_authz_unixgroup/README index 88ca982..a5570d8 100644 --- a/mod_authz_unixgroup/README +++ b/mod_authz_unixgroup/README @@ -1,14 +1,15 @@ - Mod_Authz_Unixgroup version 1.0.2 + Mod_Authz_Unixgroup version 1.1.0 Author: Jan Wolter Website: http://www.unixpapa.com/mod_authz_unixgroup/ - Requires: Apache 2.1 or later on a Unix server - -Mod_Authz_Unixgroup is a unix group access control modules for Apache 2.1 and -later. If you are having users authenticate with real Unix login ID over the -net, using something like my mod_authnz_external/pwauth combination, and you -want to do access control based on unix group membership, then -mod_authz_unixgroup is exactly what you need. + Requires: Apache 2.3 or later on a Unix server + (for Apache 2.2 use mod_authz_unixgroup 1.0.x) + +Mod_Authz_Unixgroup is a unix group access control modules for Apache. If +you are having users authenticate with real Unix login ID over the net, using +something like my mod_authnz_external/pwauth combination, and you want to do +access control based on unix group membership, then mod_authz_unixgroup is +exactly what you need. Let's say that you were using this with mod_authnz_external and pwauth. Your .htaccess file for a protected directory would probably start with the diff --git a/mod_authz_unixgroup/mod_authz_unixgroup.c b/mod_authz_unixgroup/mod_authz_unixgroup.c index e373c53..724bdc6 100644 --- a/mod_authz_unixgroup/mod_authz_unixgroup.c +++ b/mod_authz_unixgroup/mod_authz_unixgroup.c @@ -32,19 +32,27 @@ */ module AP_MODULE_DECLARE_DATA authz_unixgroup_module; +/* The current version doesn't actually have any configuration at all. In + * case we ever need it back again, the remnants of the config code are + * ifdef'ed out + */ + +#ifdef CONFIG_STUFF /* * Data type for per-directory configuration */ typedef struct { - int enabled; - int authoritative; - char *errcode; - + int dummy; /* Just to keep compilers from complaining */ } authz_unixgroup_dir_config_rec; +#endif +/* A handle for retrieving the requested file's group from mod_authnz_owner */ +APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); + +#ifdef CONFIG_STUFF /* * Creator for per-dir configurations. This is called via the hook in the * module declaration to allocate and initialize the per-directory @@ -56,42 +64,18 @@ static void *create_authz_unixgroup_dir_config(apr_pool_t *p, char *d) authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) apr_palloc(p, sizeof(authz_unixgroup_dir_config_rec)); - dir->enabled= 0; - dir->authoritative= 1; /* strong by default */ - dir->errcode= NULL; /* default to 401 */ - return dir; } - /* * Config file commands that this module can handle */ static const command_rec authz_unixgroup_cmds[] = { - AP_INIT_FLAG("AuthzUnixgroup", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, enabled), - OR_AUTHCFG, - "Set to 'on' to enable unix group checking"), - - AP_INIT_FLAG("AuthzUnixgroupAuthoritative", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, authoritative), - OR_AUTHCFG, - "Set to 'off' to allow access control to be passed along to lower " - "modules if this module can't confirm access rights" ), - - AP_INIT_TAKE1("AuthzUnixgroupError", - ap_set_string_slot, - (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, errcode), - OR_AUTHCFG, - "HTTP error code to return when user is not in group" ), - { NULL } }; - +#endif /* Check if the named user is in the given list of groups. The list of * groups is a string with groups separated by white space. Group ids @@ -170,88 +154,98 @@ static int check_unix_group(request_rec *r, const char *grouplist) return 0; } - -static int authz_unixgroup_check_user_access(request_rec *r) +static authz_status unixgroup_check_authorization(request_rec *r, + const char *require_args, const void *parsed_require_args) { +#ifdef CONFIG_STUFF authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) - ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); + ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); +#endif - int m= r->method_number; - int i,ret; - const char *t, *w; - const apr_array_header_t *reqs_arr= ap_requires(r); - const char *filegroup= NULL; - int required_group= 0; - require_line *reqs; + /* If no authenticated user, pass */ + if ( !r->user ) return AUTHZ_DENIED_NO_USER; - /* If not enabled, pass */ - if ( !dir->enabled ) return DECLINED; + if (check_unix_group(r,require_args)) + return AUTHZ_GRANTED; - /* If there are no Require arguments, pass */ - if (!reqs_arr) return DECLINED; - reqs= (require_line *)reqs_arr->elts; + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed. " + "User not in Required unix groups (%s).", + r->user, r->uri, require_args); - /* Loop through the "Require" argument list */ - for(i= 0; i < reqs_arr->nelts; i++) - { - if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue; - - t= reqs[i].requirement; - w= ap_getword_white(r->pool, &t); - - /* The 'file-group' directive causes mod_authz_owner to store the - * group name of the file we are trying to access in a note attached - * to the request. It's our job to decide if the user actually is - * in that group. If the note is missing, we just ignore it. - * Probably mod_authz_owner is not installed. - */ - if ( !strcasecmp(w, "file-group")) - { - filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE); - if (filegroup == NULL) continue; - } + return AUTHZ_DENIED; +} - if ( !strcmp(w,"group") || filegroup != NULL) - { - required_group= 1; +APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; - if (filegroup) - { - /* Check if user is in the group that owns the file */ - if (check_unix_group(r,filegroup)) - return OK; - } - else if (t[0]) - { - /* Pass rest of require line to authenticator */ - if (check_unix_group(r,t)) - return OK; - } - } - } - - /* If we didn't see a 'require group' or aren't authoritive, decline */ - if (!required_group || !dir->authoritative) - return DECLINED; +static authz_status unixfilegroup_check_authorization(request_rec *r, + const char *require_args, const void *parsed_require_args) +{ +#ifdef CONFIG_STUFF + authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *) + ap_get_module_config(r->per_dir_config, &authz_unixgroup_module); +#endif + const char *filegroup= NULL; - /* Authentication failed and we are authoritive, declare unauthorized */ - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "access to %s failed, reason: user %s not allowed access (%s)", - r->uri, r->user, dir->errcode); + /* If no authenticated user, pass */ + if ( !r->user ) return AUTHZ_DENIED_NO_USER; + + /* Get group name for requested file from mod_authz_owner */ + filegroup= authz_owner_get_file_group(r); - ap_note_basic_auth_failure(r); + if (!filegroup) + /* No errog log entry, because mod_authz_owner already made one */ + return AUTHZ_DENIED; - return (dir->errcode && (ret= atoi(dir->errcode)) > 0) ? ret : - HTTP_UNAUTHORIZED; + if (check_unix_group(r,filegroup)) + return AUTHZ_GRANTED; + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Authorization of user %s to access %s failed. " + "User not in Required unix file group (%s).", + r->user, r->uri, filegroup); + + return AUTHZ_DENIED; } +static const authz_provider authz_unixgroup_provider = +{ + &unixgroup_check_authorization, + NULL, +}; + +static const authz_provider authz_unixfilegroup_provider = +{ + &unixfilegroup_check_authorization, + NULL, +}; + static void authz_unixgroup_register_hooks(apr_pool_t *p) { - ap_hook_auth_checker(authz_unixgroup_check_user_access, NULL, NULL, - APR_HOOK_MIDDLE); + /* Get a handle on mod_authz_owner */ + authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); + + /* Register authz providers */ + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-group", + AUTHZ_PROVIDER_VERSION, + &authz_unixgroup_provider, AP_AUTH_INTERNAL_PER_CONF); + + ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-file-group", + AUTHZ_PROVIDER_VERSION, + &authz_unixfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF); } - +#ifndef CONFIG_STUFF +module AP_MODULE_DECLARE_DATA authz_unixgroup_module = { + STANDARD20_MODULE_STUFF, + NULL, /* create per-dir config */ + NULL, /* merge per-dir config */ + NULL, /* create per-server config */ + NULL, /* merge per-server config */ + NULL, /* command apr_table_t */ + authz_unixgroup_register_hooks /* register hooks */ +}; +#else module AP_MODULE_DECLARE_DATA authz_unixgroup_module = { STANDARD20_MODULE_STUFF, create_authz_unixgroup_dir_config, /* create per-dir config */ @@ -261,3 +255,4 @@ module AP_MODULE_DECLARE_DATA authz_unixgroup_module = { authz_unixgroup_cmds, /* command apr_table_t */ authz_unixgroup_register_hooks /* register hooks */ }; +#endif