Re: mod_auth-any/735: require user/require group step on each other

[Brian Behlendorf <br...@hyperreal.org>]

At 11:51 AM 7/21/97 -0400, David Birnbaum wrote:
>The "satisfy" directive seems to work only on IP address/(user/group)
>combinations, but does not fix the error for user/group combinations only.

True, my mistake.

>Set up an .htaccess file as follows:
>
>AuthType Basic
>AuthName flatiron.org Statistics
>AuthDBMUserFile /usr/local/httpd/.access/passwd.http
>AuthDBMGroupFile /usr/local/httpd/.access/group.http
>require valid-user
>require group tech
>require user davidb

First, "require valid-user" isn't necessary...

Second: it appears you are right, that the logic for multiple requires
lines is not a union.  I am wary, however, of changing this logic, for this
is the way it's worked for a long time now, and shifting this may cause
someone's security model to break.  It's very easy to work around - give
"david" his own group, and user two "require group" lines, or "require
group tech davidsgroup".  I also noticed, oddly enough, that if one uses a
non-DBM group file, then this works as expected.  Hmm!

Authentication will get a major revamp in a future version of Apache, we
realize the semantic limits of the current config file format.

	Brian



--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL           brian@organic.com - hyperreal.org - apache.org