You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Lee Goddard <le...@gmail.com> on 2011/02/21 10:12:03 UTC

[users@httpd] "Require group" help required

Dear Apache Users,

I have been looking at a problem for so many hours now that I think it 
has made me blind.

The below configuration is intended to restrict access to /admin-cgi/ to 
members of the group "admin", which is defined in a plain text file, 
whilst users and passwords are in a DBM file.

The problem is that members of other groups are getting access to this 
directory. Changing "Require group ..." to a non-existent group also has 
no effect.

As far grep shows, and memory servers, this directory and location are 
not mentioned elsewhere in the httpd configuration.

Any help appreciated

Thanks in anticipation
Lee


ScriptAlias /admin-cgi/ "/Users/leegoddard/src/www/asite/admin-cgi/"
<Directory "/Users/leegoddard/src/www/asite/admin-cgi/">
     Options -Indexes
     AuthName "Senior Admin"
     AuthType Basic
     Require group admin
     AuthBasicProvider dbm
     AuthDBMType SDBM
     AuthDBMUserFile /Users/leegoddard/src/www/asite/auth/northfoto_users.db
     AuthGroupFile 
/Users/leegoddard/src/www/northfoto2/auth/northfoto_groups.db
</Directory>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] PCRE Syntax or bug? (was "Require group" help required)

Posted by Eric Covener <co...@gmail.com>.

> <LocationMatch "/admin/*">

This matches a URL with /admin anywhere inside of it, followed by 0 or
more slashes.  So it matches and overrides your <Directory> block.

No regex or wildcard is required for what you probably intended
(Location /admin/), but if you use a regex and intend it to match
things that "start with" the arg, you have to anchor with ^.  You also
need to get the wildcard right (* modifies what comes before it, e.g.
.*)

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] PCRE Syntax or bug? (was "Require group" help required)

Posted by Lee <le...@gmail.com>.


On 22/02/2011 08:06, Nick Kew wrote:
> On 22 Feb 2011, at 06:55, Lee wrote:
>
>> Have I misunderstood the PCRE engine, or is this a bug...?
> Thou shalt not mix<Directory>  and<Location>!
>
> (the gory details are explained somewhere in the docs; I'm not
> about to look it up).
No, don't look it up, I'll have a poke around. I have done a fair amount 
of reading recently, but this commandment did not stick in my mind. I 
realise it would be foolish to mix Directory and Location on the same 
resource, but the URIs resulting from those directives bore no relation 
to each other, there is no way that /admin-cgi/ can map to /admin/*
> Oh, and you clearly don't want PCRE or any *Match directive.
I agree that the LocationMatch in question was ugly and silly, and I 
would not put it into production, but it should have worked, I think. At 
least, I await reason as to why it ought not to.

Thanks for your help
Lee



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] PCRE Syntax or bug? (was "Require group" help required)

Posted by Nick Kew <ni...@webthing.com>.

On 22 Feb 2011, at 06:55, Lee wrote:

> Have I misunderstood the PCRE engine, or is this a bug...?

Thou shalt not mix <Directory> and <Location>!

(the gory details are explained somewhere in the docs; I'm not
about to look it up).

Oh, and you clearly don't want PCRE or any *Match directive.

-- 
Nick Kew

Available for work, contract or permanent
http://www.webthing.com/~nick/cv.html


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] PCRE Syntax or bug? (was "Require group" help required)

Posted by Lee <le...@gmail.com>.

> On 21 Feb 2011, at 09:12, Lee Goddard wrote:
>
>> Dear Apache Users,
>>
>> I have been looking at a problem for so many hours now that I think it has made me blind.
>>
>> The below configuration is intended to restrict access to /admin-cgi/ to members of the group "admin", which is defined in a plain text file, whilst users and passwords are in a DBM file.
>> [...]
>>
>>     AuthGroupFile /Users/leegoddard/src/www/northfoto2/auth/northfoto_groups.db

The problem seems to be solved, but the solution does not seem valid.

There appears to have been a conflict between these two groups of 
directives:

ScriptAlias /adminjr-cgi/ 
"/Users/leegoddard/src/www/northfoto2/adminjr-cgi/"
<Directory "/Users/leegoddard/src/www/northfoto2/adminjr-cgi/">
...    Require group admin ...
</Directory>

Conflicted with:

<LocationMatch "/admin/*">

At least, when I changed the latter to the below, all behaved as expected:

<LocationMatch "/admin/index.shtml">
...    Require group adminjr ...
</Location>

Have I misunderstood the PCRE engine, or is this a bug...?

Thanks
Lee

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] "Require group" help required

Posted by Lee <le...@gmail.com>.

On 21/02/2011 15:24, Nick Kew wrote:
>  Are you sure you haven't confusedyourself into a mismatch between
>  your config and your groups file?

Unfortunately, have triple checked that.

Am now to check if, by some typographical fluke, I have passed group 
parameters into the users' file, it's all i can think of...!

Cheers
Lee

Re: [users@httpd] "Require group" help required

Posted by Nick Kew <ni...@webthing.com>.

On Mon, 21 Feb 2011 14:01:42 +0100
Lee <le...@gmail.com> wrote:


> The strange thing is, if I change the group file so that the line:
> 
>      adminjr: adminjr1 adminjr2
> 
> instead reads:
> 
>      adminj: adminjr1 adminjr2
> 
> then access is denied as expected.

The original config you posted had group "admin", not
"adminj" or "adminjr".  Are you sure you haven't confused
yourself into a mismatch between your config and your
groups file?

-- 
Nick Kew

Available for work, contract or permanent.
http://www.webthing.com/~nick/cv.html

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] "Require group" help required

Posted by Lee <le...@gmail.com>.

> On 21 Feb 2011, at 09:12, Lee Goddard wrote:
>
>> Dear Apache Users,
>>
>> I have been looking at a problem for so many hours now that I think it has made me blind.
>>
>> The below configuration is intended to restrict access to /admin-cgi/ to members of the group "admin", which is defined in a plain text file, whilst users and passwords are in a DBM file.
>> [...]
>>
>>     AuthGroupFile /Users/leegoddard/src/www/northfoto2/auth/northfoto_groups.db
> 1. What does the error log say?  Adjust LogLevel if necessary.
> 2. Is that a plain text file?
> 3. What "Satisfy" directive is in effect?  Set a specific Satisfy All to be safe.
>
The strange thing is, if I change the group file so that the line:

     adminjr: adminjr1 adminjr2

instead reads:

     adminj: adminjr1 adminjr2

then access is denied as expected.

In other words, a directory protected by Require group admin allows 
access to members of admin and adminjr but no other group.

If only LogLevel was more widely implemented...

The adminjr group is only defined once.

I have no idea how to proceed without playing with the Apache source, 
which I hoped to avoid.

Has no-one seen anything similar? Could it be a typo or oversight 
somewhere in my config?

Thanks
Lee




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] "Require group" help required

Posted by Lee <le...@gmail.com>.

Hi Nick,

On 21/02/2011 10:31, Nick Kew wrote:
>> Dear Apache Users,
>>
>> I have been looking at a problem for so many hours now that I think it has made me blind.
>>
>> The below configuration is intended to restrict access to /admin-cgi/ to members of the group "admin", which is defined in a plain text file, whilst users and passwords are in a DBM file.
>> [...]
>>
>>     AuthGroupFile /Users/leegoddard/src/www/northfoto2/auth/northfoto_groups.db
> 1. What does the error log say?  Adjust LogLevel if necessary.
Nothing at all - as if no authorisation was in effect. With LogLevel 
debug, I see a lot of info about server threads, but nothing relevant to 
authorisation.

> 2. Is that a plain text file?
The group file is plain text.

> 3. What "Satisfy" directive is in effect?  Set a specific Satisfy All to be safe.
Yes, I did have that in, but took it out as ineffective. It's back now.

Any thoughts?

Thanks
Lee



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] "Require group" help required

Posted by Lee <le...@gmail.com>.


On 21/02/2011 10:31, Nick Kew wrote:
>> Dear Apache Users,
>>
>> I have been looking at a problem for so many hours now that I think it has made me blind.
>>
>> The below configuration is intended to restrict access to /admin-cgi/ to members of the group "admin", which is defined in a plain text file, whilst users and passwords are in a DBM file.
>> [...]
>>
>>     AuthGroupFile /Users/leegoddard/src/www/northfoto2/auth/northfoto_groups.db
> 1. What does the error log say?  Adjust LogLevel if necessary.
> 2. Is that a plain text file?
> 3. What "Satisfy" directive is in effect?  Set a specific Satisfy All to be safe.
>
More details:

When a user not in admin or adminjr group accesses /admin-cgi :

[Mon Feb 21 10:53:45 2011] [error] [client ::1] Authorization of user 
blikkdisp to access /admin-cgi/admin.cgi/users/ failed, reason: user is 
not part of the 'require'ed group(s).

These groups are:

admin: lee mhm root
adminjr: adminjr1 adminjr2 adminjr3 lee mhm root

But adminjr1, of adminjr gruop, does have access to admin-cgi, even 
though that directory has Require group admin

Thanks....
Lee



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] "Require group" help required

Posted by Nick Kew <ni...@webthing.com>.

On 21 Feb 2011, at 09:12, Lee Goddard wrote:

> Dear Apache Users,
> 
> I have been looking at a problem for so many hours now that I think it has made me blind.
> 
> The below configuration is intended to restrict access to /admin-cgi/ to members of the group "admin", which is defined in a plain text file, whilst users and passwords are in a DBM file.

> [...]
> 
>    AuthGroupFile /Users/leegoddard/src/www/northfoto2/auth/northfoto_groups.db

1. What does the error log say?  Adjust LogLevel if necessary.
2. Is that a plain text file?
3. What "Satisfy" directive is in effect?  Set a specific Satisfy All to be safe.

-- 
Nick Kew

Available for work, contract or permanent
http://www.webthing.com/~nick/cv.html


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org