Control: tag -1 patch pending
Dear maintainer,
I've prepared an NMU for libapache2-mod-authz-unixgroup (versioned as
1.1.0-0.1) and uploaded it to DELAYED/2. Please feel free to tell me if
I should delay it longer. (I notice this package has been orphaned, but
that the intended adopter hasn't actually taken it over yet, so I guess
it's fine ...)
The packaging part of this diff is quite simple, and is as follows:
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/changelog
libapache2-mod-authz-unixgroup-1.1.0/debian/changelog
--- libapache2-mod-authz-unixgroup-1.0.2/debian/changelog 2013-07-11
11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/changelog 2013-07-11
11:56:00.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-authz-unixgroup (1.1.0-0.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * New upstream release, suitable for Apache 2.4 (closes: #666849).
+ * Port packaging to Apache 2.4.
+ * Update debian/watch.
+
+ -- Colin Watson <[email protected]> Thu, 11 Jul 2013 11:52:29 +0100
+
libapache2-mod-authz-unixgroup (1.0.2-1) unstable; urgency=low
* Apache .load file now gets installed
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/control
libapache2-mod-authz-unixgroup-1.1.0/debian/control
--- libapache2-mod-authz-unixgroup-1.0.2/debian/control 2013-07-11
11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/control 2013-07-11
11:56:00.000000000 +0100
@@ -2,13 +2,13 @@
Section: web
Priority: optional
Maintainer: Hai Zaar <[email protected]>
-Build-Depends: debhelper (>= 7), apache2-threaded-dev (>= 2.2.0)
+Build-Depends: debhelper (>= 7), dh-apache2, apache2-dev (>= 2.2.0)
Standards-Version: 3.8.2
Homepage: http://www.unixpapa.com/mod_authz_unixgroup
Package: libapache2-mod-authz-unixgroup
Architecture: any
-Depends: ${shlibs:Depends}, apache2.2-common
+Depends: ${shlibs:Depends}, ${misc:Depends}
Description: access control based on on unix group membership for Apache
Mod_Authz_Unixgroup is a unix group access control module for Apache 2.1 and
later. If you are having users authenticate with real Unix login ID over the
@@ -16,4 +16,4 @@
you want to do access control based on unix group membership, then
mod_authz_unixgroup is exactly what you need.
.
- This Package includes the mod-authn-unixgroup Module for Apache Version 2.2
+ This Package includes the mod-authn-unixgroup Module for Apache Version 2.4
diff -Nru
libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2
libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2
---
libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2
1970-01-01 01:00:00.000000000 +0100
+++
libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2
2013-07-11 11:56:00.000000000 +0100
@@ -0,0 +1,2 @@
+mod .libs/mod_authz_unixgroup.so
+mod debian/authz_unixgroup.load
diff -Nru
libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs
libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs
---
libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs
2013-07-11 11:56:00.000000000 +0100
+++
libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs
1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-usr/lib/apache2/modules
-etc/apache2/mods-available
diff -Nru
libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install
libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install
---
libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install
2013-07-11 11:56:00.000000000 +0100
+++
libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install
1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-.libs/mod_authz_unixgroup.so usr/lib/apache2/modules
-debian/authz_unixgroup.load etc/apache2/mods-available
-
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/rules
libapache2-mod-authz-unixgroup-1.1.0/debian/rules
--- libapache2-mod-authz-unixgroup-1.0.2/debian/rules 2013-07-11
11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/rules 2013-07-11
11:56:00.000000000 +0100
@@ -47,6 +47,7 @@
dh_installdocs
dh_installexamples
dh_install
+ dh_apache2
dh_link
dh_strip
dh_compress
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/watch
libapache2-mod-authz-unixgroup-1.1.0/debian/watch
--- libapache2-mod-authz-unixgroup-1.0.2/debian/watch 2013-07-11
11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/watch 2013-07-11
11:56:00.000000000 +0100
@@ -9,7 +9,7 @@
# Uncomment to examine a Webpage
# <Webpage URL> <string match>
#http://www.example.com/downloads.php #PACKAGE#-(.*)\.tar\.gz
-http://code.google.com/p/mod-auth-external/downloads/list
http://mod-auth-external.googlecode.com/files/mod_authz_unixgroup-(.*)\.tar\.gz
+http://code.google.com/p/mod-auth-external/downloads/list?can=1
.*/mod_authz_unixgroup-(\d[\d.]*)\.tar\.gz
# Uncomment to examine a Webserver directory
#http://www.example.com/pub/#PACKAGE#-(.*)\.tar\.gz
Thanks,
--
Colin Watson [[email protected]]
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/CHANGES libapache2-mod-authz-unixgroup-1.1.0/CHANGES
--- libapache2-mod-authz-unixgroup-1.0.2/CHANGES 2009-05-21 20:49:38.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/CHANGES 2011-10-06 20:13:04.000000000 +0100
@@ -1,3 +1,19 @@
+v1.1.0 (Jan Wolter - Oct 6, 2011)
+-----------------------------------
+ * Revised to work as an access control provider in Apache 2.4.
+ * Eliminated "AuthzUnixgroup on" directive because it is no longer needed.
+ * Eliminated "AuthnzUnixgroupError 403" directive because it is supplanted
+ by "AuthzSendForbiddenOnFailure On".
+ * Eliminated "AuthzUnixgroupAuthoritative off" directive because the whole
+ concept of authoritativeness is dead for access control providers in
+ Apache 2.4.
+
+v1.0.3 (Jan Wolter - Oct 6, 2011)
+------------------------------------
+ * Allow group names to be quoted, so that you can have group names with
+ spaces in them. This change was suggested by David Homborg.
+ * Document updated with references to versions for Apache 2.4.
+
v1.0.2 (Jan Wolter - May 21, 2009)
------------------------------------
* Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/INSTALL libapache2-mod-authz-unixgroup-1.1.0/INSTALL
--- libapache2-mod-authz-unixgroup-1.0.2/INSTALL 2009-05-21 20:49:38.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/INSTALL 2011-10-06 20:13:04.000000000 +0100
@@ -2,6 +2,12 @@
NOTES:
+ * Different versions of Apache require different versions of
+ mod_authz_unixgroup:
+
+ Apache 2.2.x requires mod_authz_unixgroup 1.0.x
+ Apache 2.4.x requires mod_authz_unixgroup 1.1.x
+
* There are two ways of installing mod_authz_unixgroup.
(1) You can statically link it with Apache. This requires rebuilding
@@ -89,18 +95,14 @@
CONFIGURATION:
--------------
-Mod_authz_unixgroup is pretty simple to use. First, you need to enable it
-for whatever directory you want to use it in, by inserting the following
-directive either in a .htaccess file in the directory or a <Directory> block
-in the httpd.conf file:
-
- AuthzUnixgroup on
+Mod_authz_unixgroup is extremely simple to use. Presumably you already are
+setting up some kind of authentication in a .htaccess file or in a
+<Directory> block in the httpd.conf file. You'll just need to change the
+"Require" directive there to something like:
-Second, you will need a require directive like
-
- Require group admin
+ Require unix-group admin
or
- Require group students teachers staff
+ Require unix-group students teachers staff
Obviously this only makes sense in a directory where you are doing
authentication. This could be any kind of authentication, but it makes
@@ -121,7 +123,7 @@
It is also possible to list groups by gid number instead of name, like
- Require group 10
+ Require unix-group 10
would be equivalent to "Require group admin" if the gid listed for the group
admin in /etc/group is 10.
@@ -130,12 +132,20 @@
mod_authz_unixgroup to check access based on file groups. For example if
we do:
- AuthzUnixgroup on
- Require file-group
+ Require unix-file-group
Then a user will be able to access a file if and only if that file is owned
by a group of which the user is a member.
+Changes from Previous Versions:
+-------------------------------
+
+Previous versions of mod_authz_unixgroup needed a 'AuthzUnixgroup on' to
+tell Apache that the "Require file-group" directive was supposed to be
+handled by mod_authz_unixgroup. Now we have a distinct directive,
+"Require unix-file-group" instead, so the 'AuthzUnixgroup' is no longer
+needed and no longer exists.
+
Normally, when an access check fails, mod_authz_unixgroup will return a
HTTP 401 error. This will typically cause the browser to pop up a message
saying "Authentication Failed" and then the browser will ask for a new login
@@ -143,15 +153,12 @@
"Require file-group" directive, you may not want to log the user off every time
he hits a file he doesn't have access to. Maybe you'd rather just show a
"Permission denied message" and not log him off. You could do that by
-directing mod_authz_unixgroup to return a 403 error instead of a 401 error.
-You can do this with the following directive:
-
- AuthnzUnixgroupError 403
-
-By default, mod_authz_unixgroup is authoritative. If you want to use more
-than one group checker, like mod_authz_unixgroup together with
-mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non-
-authoritative, so that if one fails, the other will be tried. You can
-make mod_authz_unixgroup non-authoritative by saying:
-
- AuthzUnixgroupAuthoritative off
+returning 403 error instead of a 401 error. Older versions of
+mod_authz_unixgroup had a directive called 'AuthnzUnixgroupError' that did
+this, but in Apache 2.4 that is replaced with a new standard Apache directive:
+
+ AuthzUnixgroupAuthoritative off
+
+There also used to be an 'AuthzUnixgroupAuthoritative' directive which is
+also gone, since the whole concept of authoritativeness no longer applies
+to access control providers in Apache 2.4.
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/README libapache2-mod-authz-unixgroup-1.1.0/README
--- libapache2-mod-authz-unixgroup-1.0.2/README 2009-05-21 20:51:01.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/README 2011-10-06 20:13:04.000000000 +0100
@@ -1,14 +1,15 @@
- Mod_Authz_Unixgroup version 1.0.2
+ Mod_Authz_Unixgroup version 1.1.0
Author: Jan Wolter
Website: http://www.unixpapa.com/mod_authz_unixgroup/
- Requires: Apache 2.1 or later on a Unix server
+ Requires: Apache 2.3 or later on a Unix server
+ (for Apache 2.2 use mod_authz_unixgroup 1.0.x)
-Mod_Authz_Unixgroup is a unix group access control modules for Apache 2.1 and
-later. If you are having users authenticate with real Unix login ID over the
-net, using something like my mod_authnz_external/pwauth combination, and you
-want to do access control based on unix group membership, then
-mod_authz_unixgroup is exactly what you need.
+Mod_Authz_Unixgroup is a unix group access control modules for Apache. If
+you are having users authenticate with real Unix login ID over the net, using
+something like my mod_authnz_external/pwauth combination, and you want to do
+access control based on unix group membership, then mod_authz_unixgroup is
+exactly what you need.
Let's say that you were using this with mod_authnz_external and pwauth. Your
.htaccess file for a protected directory would probably start with the
@@ -22,10 +23,9 @@
That would cause mod_auth_basic and mod_authnz_external to do authentication
based on the Unix passwd database. Mod_Authz_Unixgroup would come into play
if you wanted to further restrict access to specific Unix groups. You might
-append the following directives:
+append the following directive:
- AuthzUnixgroup on
- Require group staff admin
+ Require unix-group staff admin
This would allow only access to accounts in the 'staff' or 'admin' unix groups.
You can alternately specify groups by their gid numbers instead of their names.
@@ -33,7 +33,7 @@
Or you could use mod_authz_unixgroup together with the standard apache module
mod_authz_owner to do something like:
- Require file-group
+ Require unix-file-group
This would allow access to the page, only the user was a member of the unix
group that owns the file.
@@ -52,10 +52,10 @@
and ignore the rest.
Mod_authnz_external is available from:
- http://www.unixpapa.com/mod_auth_external/
+ http://code.google.com/p/mod-auth-external/
Pwauth is available from:
- http://www.unixpapa.com/pwauth/
+ http://code.google.com/p/pwauth/
It might also be possible to use this with mod_auth_shadow, expecially if a
authn/authz version of that is ever released.
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/changelog libapache2-mod-authz-unixgroup-1.1.0/debian/changelog
--- libapache2-mod-authz-unixgroup-1.0.2/debian/changelog 2013-07-11 11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/changelog 2013-07-11 11:56:00.000000000 +0100
@@ -1,3 +1,12 @@
+libapache2-mod-authz-unixgroup (1.1.0-0.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * New upstream release, suitable for Apache 2.4 (closes: #666849).
+ * Port packaging to Apache 2.4.
+ * Update debian/watch.
+
+ -- Colin Watson <[email protected]> Thu, 11 Jul 2013 11:52:29 +0100
+
libapache2-mod-authz-unixgroup (1.0.2-1) unstable; urgency=low
* Apache .load file now gets installed
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/control libapache2-mod-authz-unixgroup-1.1.0/debian/control
--- libapache2-mod-authz-unixgroup-1.0.2/debian/control 2013-07-11 11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/control 2013-07-11 11:56:00.000000000 +0100
@@ -2,13 +2,13 @@
Section: web
Priority: optional
Maintainer: Hai Zaar <[email protected]>
-Build-Depends: debhelper (>= 7), apache2-threaded-dev (>= 2.2.0)
+Build-Depends: debhelper (>= 7), dh-apache2, apache2-dev (>= 2.2.0)
Standards-Version: 3.8.2
Homepage: http://www.unixpapa.com/mod_authz_unixgroup
Package: libapache2-mod-authz-unixgroup
Architecture: any
-Depends: ${shlibs:Depends}, apache2.2-common
+Depends: ${shlibs:Depends}, ${misc:Depends}
Description: access control based on on unix group membership for Apache
Mod_Authz_Unixgroup is a unix group access control module for Apache 2.1 and
later. If you are having users authenticate with real Unix login ID over the
@@ -16,4 +16,4 @@
you want to do access control based on unix group membership, then
mod_authz_unixgroup is exactly what you need.
.
- This Package includes the mod-authn-unixgroup Module for Apache Version 2.2
+ This Package includes the mod-authn-unixgroup Module for Apache Version 2.4
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2 libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2
--- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.apache2 1970-01-01 01:00:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.apache2 2013-07-11 11:56:00.000000000 +0100
@@ -0,0 +1,2 @@
+mod .libs/mod_authz_unixgroup.so
+mod debian/authz_unixgroup.load
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs
--- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.dirs 2013-07-11 11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.dirs 1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-usr/lib/apache2/modules
-etc/apache2/mods-available
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install
--- libapache2-mod-authz-unixgroup-1.0.2/debian/libapache2-mod-authz-unixgroup.install 2013-07-11 11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/libapache2-mod-authz-unixgroup.install 1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-.libs/mod_authz_unixgroup.so usr/lib/apache2/modules
-debian/authz_unixgroup.load etc/apache2/mods-available
-
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/rules libapache2-mod-authz-unixgroup-1.1.0/debian/rules
--- libapache2-mod-authz-unixgroup-1.0.2/debian/rules 2013-07-11 11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/rules 2013-07-11 11:56:00.000000000 +0100
@@ -47,6 +47,7 @@
dh_installdocs
dh_installexamples
dh_install
+ dh_apache2
dh_link
dh_strip
dh_compress
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/debian/watch libapache2-mod-authz-unixgroup-1.1.0/debian/watch
--- libapache2-mod-authz-unixgroup-1.0.2/debian/watch 2013-07-11 11:56:00.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/debian/watch 2013-07-11 11:56:00.000000000 +0100
@@ -9,7 +9,7 @@
# Uncomment to examine a Webpage
# <Webpage URL> <string match>
#http://www.example.com/downloads.php #PACKAGE#-(.*)\.tar\.gz
-http://code.google.com/p/mod-auth-external/downloads/list http://mod-auth-external.googlecode.com/files/mod_authz_unixgroup-(.*)\.tar\.gz
+http://code.google.com/p/mod-auth-external/downloads/list?can=1 .*/mod_authz_unixgroup-(\d[\d.]*)\.tar\.gz
# Uncomment to examine a Webserver directory
#http://www.example.com/pub/#PACKAGE#-(.*)\.tar\.gz
diff -Nru libapache2-mod-authz-unixgroup-1.0.2/mod_authz_unixgroup.c libapache2-mod-authz-unixgroup-1.1.0/mod_authz_unixgroup.c
--- libapache2-mod-authz-unixgroup-1.0.2/mod_authz_unixgroup.c 2009-05-21 20:49:38.000000000 +0100
+++ libapache2-mod-authz-unixgroup-1.1.0/mod_authz_unixgroup.c 2011-10-06 20:13:04.000000000 +0100
@@ -32,65 +32,8 @@
*/
module AP_MODULE_DECLARE_DATA authz_unixgroup_module;
-/*
- * Data type for per-directory configuration
- */
-
-typedef struct
-{
- int enabled;
- int authoritative;
- char *errcode;
-
-} authz_unixgroup_dir_config_rec;
-
-
-/*
- * Creator for per-dir configurations. This is called via the hook in the
- * module declaration to allocate and initialize the per-directory
- * configuration data structures declared above.
- */
-
-static void *create_authz_unixgroup_dir_config(apr_pool_t *p, char *d)
-{
- authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
- apr_palloc(p, sizeof(authz_unixgroup_dir_config_rec));
-
- dir->enabled= 0;
- dir->authoritative= 1; /* strong by default */
- dir->errcode= NULL; /* default to 401 */
-
- return dir;
-}
-
-
-/*
- * Config file commands that this module can handle
- */
-
-static const command_rec authz_unixgroup_cmds[] =
-{
- AP_INIT_FLAG("AuthzUnixgroup",
- ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, enabled),
- OR_AUTHCFG,
- "Set to 'on' to enable unix group checking"),
-
- AP_INIT_FLAG("AuthzUnixgroupAuthoritative",
- ap_set_flag_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, authoritative),
- OR_AUTHCFG,
- "Set to 'off' to allow access control to be passed along to lower "
- "modules if this module can't confirm access rights" ),
-
- AP_INIT_TAKE1("AuthzUnixgroupError",
- ap_set_string_slot,
- (void *)APR_OFFSETOF(authz_unixgroup_dir_config_rec, errcode),
- OR_AUTHCFG,
- "HTTP error code to return when user is not in group" ),
-
- { NULL }
-};
+/* A handle for retrieving the requested file's group from mod_authnz_owner */
+APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
/* Check if the named user is in the given list of groups. The list of
@@ -125,7 +68,7 @@
/* Loop through list of groups passed in */
while (*grouplist != '\0')
{
- w= ap_getword_white(r->pool, &grouplist);
+ w= ap_getword_conf(r->pool, &grouplist);
if (apr_isdigit(w[0]))
{
/* Numeric group id */
@@ -170,94 +113,84 @@
return 0;
}
-
-static int authz_unixgroup_check_user_access(request_rec *r)
+static authz_status unixgroup_check_authorization(request_rec *r,
+ const char *require_args, const void *parsed_require_args)
{
- authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
- ap_get_module_config(r->per_dir_config, &authz_unixgroup_module);
+ /* If no authenticated user, pass */
+ if ( !r->user ) return AUTHZ_DENIED_NO_USER;
- int m= r->method_number;
- int i,ret;
- const char *t, *w;
- const apr_array_header_t *reqs_arr= ap_requires(r);
- const char *filegroup= NULL;
- int required_group= 0;
- require_line *reqs;
+ if (check_unix_group(r,require_args))
+ return AUTHZ_GRANTED;
+
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Authorization of user %s to access %s failed. "
+ "User not in Required unix groups (%s).",
+ r->user, r->uri, require_args);
- /* If not enabled, pass */
- if ( !dir->enabled ) return DECLINED;
+ return AUTHZ_DENIED;
+}
- /* If there are no Require arguments, pass */
- if (!reqs_arr) return DECLINED;
- reqs= (require_line *)reqs_arr->elts;
+APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group;
- /* Loop through the "Require" argument list */
- for(i= 0; i < reqs_arr->nelts; i++)
- {
- if (!(reqs[i].method_mask & (AP_METHOD_BIT << m))) continue;
+static authz_status unixfilegroup_check_authorization(request_rec *r,
+ const char *require_args, const void *parsed_require_args)
+{
+ const char *filegroup= NULL;
- t= reqs[i].requirement;
- w= ap_getword_white(r->pool, &t);
+ /* If no authenticated user, pass */
+ if ( !r->user ) return AUTHZ_DENIED_NO_USER;
- /* The 'file-group' directive causes mod_authz_owner to store the
- * group name of the file we are trying to access in a note attached
- * to the request. It's our job to decide if the user actually is
- * in that group. If the note is missing, we just ignore it.
- * Probably mod_authz_owner is not installed.
- */
- if ( !strcasecmp(w, "file-group"))
- {
- filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
- if (filegroup == NULL) continue;
- }
+ /* Get group name for requested file from mod_authz_owner */
+ filegroup= authz_owner_get_file_group(r);
- if ( !strcmp(w,"group") || filegroup != NULL)
- {
- required_group= 1;
+ if (!filegroup)
+ /* No errog log entry, because mod_authz_owner already made one */
+ return AUTHZ_DENIED;
- if (filegroup)
- {
- /* Check if user is in the group that owns the file */
- if (check_unix_group(r,filegroup))
- return OK;
- }
- else if (t[0])
- {
- /* Pass rest of require line to authenticator */
- if (check_unix_group(r,t))
- return OK;
- }
- }
- }
+ if (check_unix_group(r,filegroup))
+ return AUTHZ_GRANTED;
- /* If we didn't see a 'require group' or aren't authoritive, decline */
- if (!required_group || !dir->authoritative)
- return DECLINED;
-
- /* Authentication failed and we are authoritive, declare unauthorized */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "access to %s failed, reason: user %s not allowed access (%s)",
- r->uri, r->user, dir->errcode);
-
- ap_note_basic_auth_failure(r);
+ "Authorization of user %s to access %s failed. "
+ "User not in Required unix file group (%s).",
+ r->user, r->uri, filegroup);
- return (dir->errcode && (ret= atoi(dir->errcode)) > 0) ? ret :
- HTTP_UNAUTHORIZED;
+ return AUTHZ_DENIED;
}
+static const authz_provider authz_unixgroup_provider =
+{
+ &unixgroup_check_authorization,
+ NULL,
+};
+
+static const authz_provider authz_unixfilegroup_provider =
+{
+ &unixfilegroup_check_authorization,
+ NULL,
+};
+
static void authz_unixgroup_register_hooks(apr_pool_t *p)
{
- ap_hook_auth_checker(authz_unixgroup_check_user_access, NULL, NULL,
- APR_HOOK_MIDDLE);
+ /* Get a handle on mod_authz_owner */
+ authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group);
+
+ /* Register authz providers */
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-group",
+ AUTHZ_PROVIDER_VERSION,
+ &authz_unixgroup_provider, AP_AUTH_INTERNAL_PER_CONF);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-file-group",
+ AUTHZ_PROVIDER_VERSION,
+ &authz_unixfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF);
}
-
module AP_MODULE_DECLARE_DATA authz_unixgroup_module = {
STANDARD20_MODULE_STUFF,
- create_authz_unixgroup_dir_config, /* create per-dir config */
+ NULL, /* create per-dir config */
NULL, /* merge per-dir config */
NULL, /* create per-server config */
NULL, /* merge per-server config */
- authz_unixgroup_cmds, /* command apr_table_t */
+ NULL, /* command apr_table_t */
authz_unixgroup_register_hooks /* register hooks */
};
