You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <Ke...@Golux.Com> on 2001/08/11 00:39:41 UTC
Enhancement to mod_auth
In response to a private query, I worked up a little patch
to add an enhancement to mod_auth: in addition to 'require valid-user'
and 'require user xxx yyy zzz' the enhanced version recognises
'require owner'. The idea is that access is granted if the
user is authenticated AND matches the username of the owner of
the file.
This would allow admins to have a single user database but not
have to add special clauses for each user -- for example, the
single stanza below:
<Directory /home/*/public_html/private>
AuthType Basic
AuthName MyPrivateFiles
AuthUserFile /usr/local/apache/etc/.htpasswd-allusers
Require owner
Satisfy All
</Directory>
would allow 'jones' and only 'jones' to have access to the
files in /home/jones/public_html/private. As users are added/
removed/renamed, only the single credential database need be
maintained. The server need not be reloaded nor the config files
edited, nor are there any .htaccess files to twiddle.
Is this a worthwhile thing to add to the base package, or
should I keep it third-party and submit it to the module registry?
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Apache Software Foundation http://www.apache.org/
"Apache Server for Dummies" http://Apache-Server.Com/
"Apache Server Unleashed" http://ApacheUnleashed.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: [PATCH] Enhancement to mod_auth
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
"William A. Rowe, Jr." wrote:
>
> It is as secure as any other _Apache_ authn/authz
> configuration, I suppose. It needs to be clear that
> it is _not_ as secure as os kernel authn/authz.
>
> This is pretty obvious to us, but might not be so
> obvious to some admins. Because we are tying the
> 'user' or 'group' to an os placeholder, they need
> to know it's only as strong as the _Apache_
> configuration allows, and that this isn't a kernel
> authn/authz. Unlike suexec, which compares os kernel
> identifies between the symlink and it's target, we
> are comparing an Apache admin's identifer to an os
> kernel identifier. Does that make sense?
Now it does, yes. I will see that the documentation
make it clear. Thanks for clarifying! We were in
agreement all along, but just did not know on what. :-)
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: [PATCH] Enhancement to mod_auth
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
From: "Rodent of Unusual Size" <Ke...@Golux.Com>
Sent: Sunday, September 09, 2001 8:00 AM
> * On 2001-09-09 at 08:44,
> William A. Rowe, Jr. <wr...@rowe-clan.net> excited the electrons to say:
> >
> > A vhost user creates an .htpasswd file containing;
> > me:K<*@MFHE948!
> > root:K<*@MFHE948!
> > admin:K<*@MFHE948!
> >
> > Now that user can 'pretend' to be root, accessing root's files (provided they
> > were not secured) in spite of the fact that another vhost user believed that
> > file was protected by 'their' .htpasswd file (with the same user list, and
> > different vhosts.)
>
> I am not getting this, Bill. If the vhost user is able to control
> the vhost configuration, you cannot block him out anyway; he can
> always supply a different Require directive to let him do what he
> wants. Unless you are suggesting that the Require is in the
> .htaccess file, and everything else is in httpd.conf, and the
> intruder can modify the latter but not the former..
>
> I just do not see this scenario as being any less secure than
> 'require valid-user'.
It is as secure as any other _Apache_ authn/authz configuration, I suppose.
It needs to be clear that it is _not_ as secure as os kernel authn/authz.
This is pretty obvious to us, but might not be so obvious to some admins.
Because we are tying the 'user' or 'group' to an os placeholder, they need
to know it's only as strong as the _Apache_ configuration allows, and that
this isn't a kernel authn/authz. Unlike suexec, which compares os kernel
identifies between the symlink and it's target, we are comparing an Apache
admin's identifer to an os kernel identifier. Does that make sense?
Re: [PATCH] Enhancement to mod_auth
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
* On 2001-09-09 at 08:44,
William A. Rowe, Jr. <wr...@rowe-clan.net> excited the electrons to say:
>
> A vhost user creates an .htpasswd file containing;
> me:K<*@MFHE948!
> root:K<*@MFHE948!
> admin:K<*@MFHE948!
>
> Now that user can 'pretend' to be root, accessing root's files (provided they
> were not secured) in spite of the fact that another vhost user believed that
> file was protected by 'their' .htpasswd file (with the same user list, and
> different vhosts.)
I am not getting this, Bill. If the vhost user is able to control
the vhost configuration, you cannot block him out anyway; he can
always supply a different Require directive to let him do what he
wants. Unless you are suggesting that the Require is in the
.htaccess file, and everything else is in httpd.conf, and the
intruder can modify the latter but not the former..
I just do not see this scenario as being any less secure than
'require valid-user'.
What am I missing?
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: [PATCH] Enhancement to mod_auth
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
From: "Rodent of Unusual Size" <Ke...@Golux.Com>
Sent: Saturday, September 08, 2001 5:49 AM
> * On 2001-09-08 at 08:34,
> William A. Rowe, Jr. <wr...@rowe-clan.net> excited the electrons to say:
> >
> > I've seen similar requests for require group. While you are cautiously
> > modifing the 1.3 code base, would you please consider both?
>
> As I said in the preface, the actual patch does both 'require file-owner'
> and 'require file-group'.
>
> > Other than that, coolness, but please document that this is not a SECURE
> > method from a multi-user system, since anyone can create an .htpasswd file
> > that might cause the user to appear as a root or admin user, but is not.
>
> How do you mean? Linux does not let you chgrp a file to any group
> of which you are not a member; neither does T64U, nor FreeBSD, nor
> any other Unixish system with which I am familiar.. Can you spell
> out the scenario you have in mind?
What you describe is likely secure. The converse is not.
A vhost user creates an .htpasswd file containing;
me:K<*@MFHE948!
root:K<*@MFHE948!
admin:K<*@MFHE948!
Now that user can 'pretend' to be root, accessing root's files (provided they
were not secured) in spite of the fact that another vhost user believed that
file was protected by 'their' .htpasswd file (with the same user list, and
different vhosts.)
It is difficult to misassign the file ownership. Impersonation is not always
that difficult, however, especially where two configs may point at the same
folders (and _nobody_ 'prefers' to work with .htaccess, due to performance.)
> > This must be documented as a convience facility, not a security facility.
>
> I will wait for your explanation before I commit to this, since I
> do not see the hole.
The system is as secure as the password and configuration files for the web
server. In vhost'ed environments with multiple vhosts, it must be pointed
out that two different authz methods might yield the same 'apparent user'
if the overall system isn't locked down under a single administration.
Bill
Re: [PATCH] Enhancement to mod_auth
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
* On 2001-09-08 at 08:34,
William A. Rowe, Jr. <wr...@rowe-clan.net> excited the electrons to say:
>
> I've seen similar requests for require group. While you are cautiously
> modifing the 1.3 code base, would you please consider both?
As I said in the preface, the actual patch does both 'require file-owner'
and 'require file-group'.
> Other than that, coolness, but please document that this is not a SECURE
> method from a multi-user system, since anyone can create an .htpasswd file
> that might cause the user to appear as a root or admin user, but is not.
How do you mean? Linux does not let you chgrp a file to any group
of which you are not a member; neither does T64U, nor FreeBSD, nor
any other Unixish system with which I am familiar.. Can you spell
out the scenario you have in mind?
> This must be documented as a convience facility, not a security facility.
I will wait for your explanation before I commit to this, since I
do not see the hole.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: [PATCH] Enhancement to mod_auth
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
From: "Rodent of Unusual Size" <Ke...@Golux.Com>
Sent: Friday, September 07, 2001 5:25 AM
> * On 2001-08-10 at 19:43,
> Rodent of Unusual Size <Ke...@golux.com> excited the electrons to say:
> >
> > In response to a private query, I worked up a little patch
> > to add an enhancement to mod_auth: in addition to 'require valid-user'
> > and 'require user xxx yyy zzz' the enhanced version recognises
> > 'require owner'. The idea is that access is granted if the
> > user is authenticated AND matches the username of the owner of
> > the file.
I've seen similar requests for require group. While you are cautiously
modifing the 1.3 code base, would you please consider both?
I'm -1 for the similiar SymLinkIfGroupMatch semantic in 1.3 (that dir_walk
code is frankly too fragile) but I'll look at that semantic in 2.0.
Other than that, coolness, but please document that this is not a SECURE
method from a multi-user system, since anyone can create an .htpasswd file
that might cause the user to appear as a root or admin user, but is not.
This must be documented as a convience facility, not a security facility.
Re: [PATCH] Enhancement to mod_auth
Posted by sterling <st...@covalent.net>.
Thanks for the response ken -
On Sun, 9 Sep 2001, Rodent of Unusual Size wrote:
> * On 2001-09-09 at 08:44,
> sterling <st...@covalent.net> excited the electrons to say:
> >
> > i still say 'Require valid-user' should be handled by the core.... i've
> > said this before, but its kinda kludgy the way it is. e.g: if you are
> > using mod_auth_db and have a 'Require valid-user' it only works if
> > mod_auth is enabled......
>
> That can really only happen after the auth and authz split does.
> As long as each module is required to be responsible for both,
> trying to do this would be a big piece of work. In other words,
> it sure is not going to happen in 1.3.. :-)
auth and authz split? haven't they always been split (i.e. check_user_id
and auth_checker)?
maybe i missed a thread somewhere....
but either way - no check_user_id hooker should really be messing with
Require statements too much, no?
the way i see it a simple function (hooked in the auth_checker phase)
which looks for a 'Require valid-user' and returns OK if it finds one
would solve this problem....... (in 1.3 or 2.0).
sterling
Re: [PATCH] Enhancement to mod_auth
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
* On 2001-09-09 at 08:44,
sterling <st...@covalent.net> excited the electrons to say:
>
> i still say 'Require valid-user' should be handled by the core.... i've
> said this before, but its kinda kludgy the way it is. e.g: if you are
> using mod_auth_db and have a 'Require valid-user' it only works if
> mod_auth is enabled......
That can really only happen after the auth and authz split does.
As long as each module is required to be responsible for both,
trying to do this would be a big piece of work. In other words,
it sure is not going to happen in 1.3.. :-)
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: [PATCH] Enhancement to mod_auth
Posted by sterling <st...@covalent.net>.
On Fri, 7 Sep 2001, Rodent of Unusual Size wrote:
> * On 2001-08-10 at 19:43,
> Rodent of Unusual Size <Ke...@golux.com> excited the electrons to say:
> >
> > In response to a private query, I worked up a little patch
> > to add an enhancement to mod_auth: in addition to 'require valid-user'
> > and 'require user xxx yyy zzz' the enhanced version recognises
> > 'require owner'. The idea is that access is granted if the
> > user is authenticated AND matches the username of the owner of
> > the file.
>
> Okey, here is the first part of the patch. I am submitting it
> to the list rather than just committing it because I am not
> sure about the use of non-threadsafe getpwuid() and getgrgid().
> However, since we use those elsewhere, if no-one has any comments
> within a couple of days I will go ahead and commit it.
>
> Note that this first pass is for *1.3* rather than 2.0, because
> the person who asked for it is using 1.3. I will bring it
> forward to 2.0 after it is committed to 1.3.
>
> I actually took it a step further than stated in the quotation
> above; the new keywords for Require are 'file-owner' and 'file-group';
> if there is an AuthGroupFile, and the file's group is listed in it,
> and the authenticated user is in that group, 'file-group' will
> grant access.
>
FWIW:
i still say 'Require valid-user' should be handled by the core.... i've
said this before, but its kinda kludgy the way it is. e.g: if you are
using mod_auth_db and have a 'Require valid-user' it only works if
mod_auth is enabled......
sure, mod_auth is enabled by default, but.......
sterling
[PATCH] Enhancement to mod_auth
Posted by Rodent of Unusual Size <Ke...@Golux.Com>.
* On 2001-08-10 at 19:43,
Rodent of Unusual Size <Ke...@golux.com> excited the electrons to say:
>
> In response to a private query, I worked up a little patch
> to add an enhancement to mod_auth: in addition to 'require valid-user'
> and 'require user xxx yyy zzz' the enhanced version recognises
> 'require owner'. The idea is that access is granted if the
> user is authenticated AND matches the username of the owner of
> the file.
Okey, here is the first part of the patch. I am submitting it
to the list rather than just committing it because I am not
sure about the use of non-threadsafe getpwuid() and getgrgid().
However, since we use those elsewhere, if no-one has any comments
within a couple of days I will go ahead and commit it.
Note that this first pass is for *1.3* rather than 2.0, because
the person who asked for it is using 1.3. I will bring it
forward to 2.0 after it is committed to 1.3.
I actually took it a step further than stated in the quotation
above; the new keywords for Require are 'file-owner' and 'file-group';
if there is an AuthGroupFile, and the file's group is listed in it,
and the authenticated user is in that group, 'file-group' will
grant access.
--
#ken P-)}
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"All right everyone! Step away from the glowing hamburger!"
Re: Enhancement to mod_auth
Posted by Graham Leggett <mi...@sharp.fm>.
Rodent of Unusual Size wrote:
> Is this a worthwhile thing to add to the base package, or
> should I keep it third-party and submit it to the module registry?
I vote it goes in - I had need of something like this a few days ago...
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: Enhancement to mod_auth
Posted by Cliff Woolley <cl...@yahoo.com>.
On Fri, 10 Aug 2001, Rodent of Unusual Size wrote:
> In response to a private query, I worked up a little patch
> to add an enhancement to mod_auth: in addition to 'require valid-user'
> and 'require user xxx yyy zzz' the enhanced version recognises
> 'require owner'. The idea is that access is granted if the
> user is authenticated AND matches the username of the owner of
> the file.
>
> Is this a worthwhile thing to add to the base package, or
> should I keep it third-party and submit it to the module registry?
+1 to patch mod_auth
--Cliff
--------------------------------------------------------------
Cliff Woolley
cliffwoolley@yahoo.com
Charlottesville, VA