You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by br...@hyperreal.org on 1997/07/21 07:51:45 UTC

Re: mod_auth-any/735: require user/require group step on each other

Synopsis: require user/require group step on each other

State-Changed-From-To: open-closed
State-Changed-By: brian
State-Changed-When: Sun Jul 20 22:51:44 PDT 1997
State-Changed-Why:
If you say "Satisfy any", you should get the behavior you
expect.

Re: mod_auth-any/735: require user/require group step on each other

Posted by Brian Behlendorf <br...@hyperreal.org>.

At 11:51 AM 7/21/97 -0400, David Birnbaum wrote:
>The "satisfy" directive seems to work only on IP address/(user/group)
>combinations, but does not fix the error for user/group combinations only.

True, my mistake.

>Set up an .htaccess file as follows:
>
>AuthType Basic
>AuthName flatiron.org Statistics
>AuthDBMUserFile /usr/local/httpd/.access/passwd.http
>AuthDBMGroupFile /usr/local/httpd/.access/group.http
>require valid-user
>require group tech
>require user davidb

First, "require valid-user" isn't necessary...

Second: it appears you are right, that the logic for multiple requires
lines is not a union.  I am wary, however, of changing this logic, for this
is the way it's worked for a long time now, and shifting this may cause
someone's security model to break.  It's very easy to work around - give
"david" his own group, and user two "require group" lines, or "require
group tech davidsgroup".  I also noticed, oddly enough, that if one uses a
non-DBM group file, then this works as expected.  Hmm!

Authentication will get a major revamp in a future version of Apache, we
realize the semantic limits of the current config file format.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL           brian@organic.com - hyperreal.org - apache.org

Re: mod_auth-any/735: require user/require group step on each other

Posted by David Birnbaum <da...@flatiron.org>.

Brian,

The "satisfy" directive seems to work only on IP address/(user/group)
combinations, but does not fix the error for user/group combinations only.
Set up an .htaccess file as follows:

AuthType Basic
AuthName flatiron.org Statistics
AuthDBMUserFile /usr/local/httpd/.access/passwd.http
AuthDBMGroupFile /usr/local/httpd/.access/group.http
require valid-user
require group tech
require user davidb

If user davidb is NOT in group tech, he cannot authenticate to this area.
Putting in a "satisfy any" allows anyone to get in, as there are no IP
address restrictions listed.

In my mind, a user should be able to authenticate if the user is in group
tech OR is user davidb.

Thanks,

David.

On Sun, 20 Jul 1997 brian@hyperreal.org wrote:

> Synopsis: require user/require group step on each other
> 
> State-Changed-From-To: open-closed
> State-Changed-By: brian
> State-Changed-When: Sun Jul 20 22:51:44 PDT 1997
> State-Changed-Why:
> If you say "Satisfy any", you should get the behavior you
> expect.
> 
> 
> 
>