[Bug 65145] New: ambiguities in mod/mod_authz_core.html

Tue, 16 Feb 2021 21:02:17 -0800 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65145

            Bug ID: 65145
           Summary: ambiguities in mod/mod_authz_core.html
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Documentation
          Assignee: docs@httpd.apache.org
          Reporter: cales...@scientia.net
  Target Milestone: ---

Hey.

Reading through mod/mod_authz_core.html there seem to be a number of
ambiguities or crucial points missing:
1) Tri-State authz
There is no real single place, where it's properly explained, that
authorization isn't just binary (allow, deny) but tri-state (allow, deny,
neutral), for each level (i.e. single Requires, RequireAll/Any/None).

It's only kinda scattered over the Require/RequireAll/Any/None.


2) "AuthMerging Directive" talks about:
"When authorization is enabled" ... however, authorization must be always
enabled, at least as a concept, so that either requests are granted or denied.


3) There doesn't seem to be any explanation at what happens if none of
directives are used (e.g. no Require at all). Is the Request granted? Is it
denied?
Same when the overall result would be neutral? Granted? Denied?

"The result of the Require directive may be negated through the use of the not
option. As with the other negated authorization directive <RequireNone>, when
the Require directive is negated it can only fail or return a neutral result,
and therefore may never independently authorize a request."

=> kinda implies that only an explicit "success" result would allow access,
i.e. not having any Require at all would effectively deny all

However mod/core.html#directory claims:
"Note that the default access for <Directory "/"> is to permit all access. This
means that Apache httpd will serve any file mapped from an URL. It is
recommended that you change this with a block such as"


4) Maybe I miss some point but the Example in "Creating Authorization Provider
Aliases" seems buggy:
"This example allows a single authorization location to check group membership
within multiple ldap hosts:"
but then it has:
    Require all granted
...
    Require ldap-group-alias1
    Require ldap-group-alias2

Aren't these all AllowAny'ed and thus the result is always allow and the later
two even ignored?


Cheers,
Chris.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org

Reply via email to