From 4f18a6aeed3106e821401dd5297a094b3006430e Mon Sep 17 00:00:00 2001 From: Micah Andersen Date: Mon, 22 Jul 2019 19:54:13 -0400 Subject: [PATCH] Version 3.3.3 (July 22, 2019) * Added METHOD environment variable to retrieve the HTTP request method (e.g. GET, HEAD, POST, OPTIONS, etc.). Thanks to Vijay from Google Code. * Fixed a bug with incorrect parenthesis grouping when checking the result of the external process in exec_external(). Thanks to @dcb314. * Added the "GroupExternalAuthNCheck Off" directive to disable the check for a previously authenticated user when using *only* the group authorization module. If you use *any* user authentication module in the same context, this may be undesirable. Thanks to Micah Andersen/BIMI. * Fix launching external processes on Windows - many programs require the %SystemRoot% environment variable to function properly. Thanks to Micah Andersen/BIMI. --- .travis.yml | 1 - .../AUTHENTICATORS => AUTHENTICATORS | 0 mod_authnz_external/CHANGES => CHANGES | 0 .../CONTRIBUTORS => CONTRIBUTORS | 0 mod_authnz_external/INSTALL => INSTALL | 0 .../INSTALL.HARDCODE => INSTALL.HARDCODE | 0 mod_authnz_external/Makefile => Makefile | 0 mod_authnz_external/README => README | 0 README.md | 14 -- mod_authnz_external/TODO => TODO | 0 mod_authnz_external/UPGRADE => UPGRADE | 0 ...authnz_external.c => mod_authnz_external.c | 0 mod_authz_unixgroup/CHANGES | 42 ---- mod_authz_unixgroup/INSTALL | 164 -------------- mod_authz_unixgroup/LICENSE | 202 ------------------ mod_authz_unixgroup/NOTICE | 8 - mod_authz_unixgroup/README | 61 ------ mod_authz_unixgroup/mod_authz_unixgroup.c | 196 ----------------- {mod_authnz_external/test => test}/README | 0 {mod_authnz_external/test => test}/test.env | 0 {mod_authnz_external/test => test}/test.pipe | 0 .../test => test}/test.pipe.php | 0 .../test => test}/testgroup.env | 0 .../test => test}/testgroup.pipe | 0 24 files changed, 688 deletions(-) rename mod_authnz_external/AUTHENTICATORS => AUTHENTICATORS (100%) rename mod_authnz_external/CHANGES => CHANGES (100%) rename mod_authnz_external/CONTRIBUTORS => CONTRIBUTORS (100%) rename mod_authnz_external/INSTALL => INSTALL (100%) rename mod_authnz_external/INSTALL.HARDCODE => INSTALL.HARDCODE (100%) rename mod_authnz_external/Makefile => Makefile (100%) rename mod_authnz_external/README => README (100%) delete mode 100644 README.md rename mod_authnz_external/TODO => TODO (100%) rename mod_authnz_external/UPGRADE => UPGRADE (100%) rename mod_authnz_external/mod_authnz_external.c => mod_authnz_external.c (100%) delete mode 100644 mod_authz_unixgroup/CHANGES delete mode 100644 mod_authz_unixgroup/INSTALL delete mode 100644 mod_authz_unixgroup/LICENSE delete mode 100644 mod_authz_unixgroup/NOTICE delete mode 100644 mod_authz_unixgroup/README delete mode 100644 mod_authz_unixgroup/mod_authz_unixgroup.c rename {mod_authnz_external/test => test}/README (100%) rename {mod_authnz_external/test => test}/test.env (100%) mode change 100755 => 100644 rename {mod_authnz_external/test => test}/test.pipe (100%) mode change 100755 => 100644 rename {mod_authnz_external/test => test}/test.pipe.php (100%) mode change 100755 => 100644 rename {mod_authnz_external/test => test}/testgroup.env (100%) mode change 100755 => 100644 rename {mod_authnz_external/test => test}/testgroup.pipe (100%) mode change 100755 => 100644 diff --git a/.travis.yml b/.travis.yml index 83842d8..ee16dce 100644 --- a/.travis.yml +++ b/.travis.yml @@ -17,7 +17,6 @@ addons: before_install: - if [ "$TRAVIS_OS_NAME" = "windows" ]; then choco install apache-httpd --params '/installLocation:C:\' ; fi - - cd mod_authnz_external script: - if [ "$TRAVIS_OS_NAME" != "windows" ]; then make ; fi diff --git a/mod_authnz_external/AUTHENTICATORS b/AUTHENTICATORS similarity index 100% rename from mod_authnz_external/AUTHENTICATORS rename to AUTHENTICATORS diff --git a/mod_authnz_external/CHANGES b/CHANGES similarity index 100% rename from mod_authnz_external/CHANGES rename to CHANGES diff --git a/mod_authnz_external/CONTRIBUTORS b/CONTRIBUTORS similarity index 100% rename from mod_authnz_external/CONTRIBUTORS rename to CONTRIBUTORS diff --git a/mod_authnz_external/INSTALL b/INSTALL similarity index 100% rename from mod_authnz_external/INSTALL rename to INSTALL diff --git a/mod_authnz_external/INSTALL.HARDCODE b/INSTALL.HARDCODE similarity index 100% rename from mod_authnz_external/INSTALL.HARDCODE rename to INSTALL.HARDCODE diff --git a/mod_authnz_external/Makefile b/Makefile similarity index 100% rename from mod_authnz_external/Makefile rename to Makefile diff --git a/mod_authnz_external/README b/README similarity index 100% rename from mod_authnz_external/README rename to README diff --git a/README.md b/README.md deleted file mode 100644 index f75577f..0000000 --- a/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# mod-authnz-external [![Build Status](https://travis-ci.org/phokz/mod-auth-external.svg?branch=master)](https://travis-ci.org/phokz/mod-auth-external) -### External Authentication Module for Apache HTTP Server -Previous Maintainers: Jan Wolter (http://www.unixpapa.com), Tyler Allison (allison@nas.nasa.gov) - -Original Author: Nathan Neulinger (nneul@umr.edu) - -**Mod_authnz_external is a flexible tool for building custom basic authentication systems for the [Apache HTTP Server](http://httpd.apache.org)**. "Basic Authentication" is a type of authentication built into the HTTP protocol, in which the browser automatically pops up a login box when the user requests a protected resource, and the login ids and passwords entered are checked by Apache. Mod_auth*_external allows the password checking normally done inside Apache to be done by an separate external program running outside of Apache. - - -### Security Considerations - -Older versions of mod_auth_external would by default pass logins and passwords into the authentication module using environment variables. This is insecure on some versions of Unix where the contents of environment variables are visible on a 'ps -e' command. In more recent versions, the default is to use a pipe to pass sensitive data. This is secure on all versions of Unix, and is recommended in all installations. - -People using mod_auth*_external with pwauth to authenticate from system password databases should be aware of the [innate security risks](http://code.google.com/p/pwauth/wiki/Risks) involved in doing this. diff --git a/mod_authnz_external/TODO b/TODO similarity index 100% rename from mod_authnz_external/TODO rename to TODO diff --git a/mod_authnz_external/UPGRADE b/UPGRADE similarity index 100% rename from mod_authnz_external/UPGRADE rename to UPGRADE diff --git a/mod_authnz_external/mod_authnz_external.c b/mod_authnz_external.c similarity index 100% rename from mod_authnz_external/mod_authnz_external.c rename to mod_authnz_external.c diff --git a/mod_authz_unixgroup/CHANGES b/mod_authz_unixgroup/CHANGES deleted file mode 100644 index e482a3a..0000000 --- a/mod_authz_unixgroup/CHANGES +++ /dev/null @@ -1,42 +0,0 @@ -v1.1.0 (Jan Wolter - Oct 6, 2011) ------------------------------------ - * Revised to work as an access control provider in Apache 2.4. - * Eliminated "AuthzUnixgroup on" directive because it is no longer needed. - * Eliminated "AuthnzUnixgroupError 403" directive because it is supplanted - by "AuthzSendForbiddenOnFailure On". - * Eliminated "AuthzUnixgroupAuthoritative off" directive because the whole - concept of authoritativeness is dead for access control providers in - Apache 2.4. - -v1.0.3 (Jan Wolter - Oct 6, 2011) ------------------------------------- - * Allow group names to be quoted, so that you can have group names with - spaces in them. This change was suggested by David Homborg. - * Document updated with references to versions for Apache 2.4. - -v1.0.2 (Jan Wolter - May 21, 2009) ------------------------------------- - * Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE - files. - * New directive: AuthzUnixgroupError, can be used to specify the HTTP - error number to be returned on failure. - -v1.0.1 (Jan Wolter - Aug 6, 2008) ------------------------------------- - * Delete various logging statements that were really just there for - debugging and should have been removed sooner. - - * If there is an '@' in the user's login name, strip off that and anything - after it. An '@' sign is never legal in an unix login name, and some - authentication modules, like mod_auth_kerb, append an "@domain" to the - user's login name. - - Both of the above modifications are inspired by patches made by Ken Lalonde - . - - * Included "http_request.h" header file to suppress a harmless compile-time - warning. - -v1.0.0 (Jan Wolter - Feb 19, 2006) ------------------------------------- - * Original release diff --git a/mod_authz_unixgroup/INSTALL b/mod_authz_unixgroup/INSTALL deleted file mode 100644 index 46f1056..0000000 --- a/mod_authz_unixgroup/INSTALL +++ /dev/null @@ -1,164 +0,0 @@ -How to install mod_authz_unixgroup.c into Apache: - -NOTES: - - * Different versions of Apache require different versions of - mod_authz_unixgroup: - - Apache 2.2.x requires mod_authz_unixgroup 1.0.x - Apache 2.4.x requires mod_authz_unixgroup 1.1.x - - * There are two ways of installing mod_authz_unixgroup. - - (1) You can statically link it with Apache. This requires rebuilding - Apache in such a way that mod_authz_unixgroup will be compiled in. - - (2) You can make mod_authz_unixgroup a dynamically loaded module. If - your Apache has been built to support dynamically loaded modules - you can do this without rebuilding Apache, so it is pretty easy. - Performance may be slightly worse with this option. For information - on dynamically loaded modules see http://www.apache.org/docs/dso.html - - Instructions for both options are given here. - - * There is also documentation in the README file. If you find this document - unclear, reading that may help. - - -INSTALL METHOD A: Dynamically Linking Mod_authz_unixgroup using apxs: ---------------------------------------------------------------------- - -Step 1: - Ensure that your Apache server is configured to handle dynamically - loaded modules. To check this, run Apache server with the -l command - flag, like - - httpd -l - - If mod_so.c is one of the compiled-in modules, then you are ready - to go. - -Step 2: - Compile the module using the following command in the - mod_authz_unixgroup distribution directory: - - apxs -c mod_authz_unixgroup.c - - 'Apxs' is the Apache extension tool. It is part of the standard - Apache installation. If you don't have it, then your Apache server - is probably not set up for handling dynamically loaded modules. - This should create a file named 'mod_authz_unixgroup.so'. - -Step 3: - Install the module. Apxs can do this for you too. Do the following - command (as root so you can write to Apache's directories and config - files): - - apxs -i -a mod_authz_unixgroup.la - - This will create mod_authz_unixgroup.so and copy it into the proper - place, and add appropriate AddModule and LoadModule commands to the - configuration files. (Actually, it may get the LoadModule command - wrong. See below.) - -Step 4: - Go to the CONFIGURATION instructions below. - - -INSTALL METHOD B: Statically Linking ------------------------------------- - -Step 1: - Read the instructions on how to configure the Apache server in the - INSTALL file provided with the Apache source. - -Step 2: - When you run the ./configure script, include an --with-module flag, - giving the full pathname to the mod_authz_unixgroup.c file in this - distribution. For example, if you have unpacked this distribution - in /usr/local/src/mod_authz_unixgroup and are building Apache for - installation in /usr/local/apache, you might do: - - ./configure --prefix=/usr/local/apache \ - --with-module=aaa:/usr/local/src/mod_authz_unixgroup/mod_authz_unixgroup.c - - This will copy the mod_authz_unixgroup.c file into the correct place in - the Apache source tree and set things up to link it in. - -Step 3: - Type "make" to compile Apache and "make install" to install it. - -Step 4: - Go to the CONFIGURATION instructions below. - - -CONFIGURATION: --------------- - -Mod_authz_unixgroup is extremely simple to use. Presumably you already are -setting up some kind of authentication in a .htaccess file or in a - block in the httpd.conf file. You'll just need to change the -"Require" directive there to something like: - - Require unix-group admin -or - Require unix-group students teachers staff - -Obviously this only makes sense in a directory where you are doing -authentication. This could be any kind of authentication, but it makes -most sense if you are using it in combination with authentication out of -the unix password file, perhaps using mod_auth_external together with -pwauth, or mod_auth_shadow. The "Require group" directive will then -cause mod_authz_unixgroup to check if the user is in one of the groups -listed, and reject the authentication if they are not. A user is considered -to be in a group if either (1) the group is the user's primary group -identified by it's gid number in /etc/passwd, or (2) the group is listed -in /etc/group and the user id is listed as a member of that group. - -If you are authenticating out of something other than the unix password -database, then this can be used, but the effect is a bit odd. To pass -the "Require group" test, there must (1) exist a unix account with the same -name as the account the user authenticated in, and (2) that unix account must -be in one of the unix groups listed on the Require line. - -It is also possible to list groups by gid number instead of name, like - - Require unix-group 10 - -would be equivalent to "Require group admin" if the gid listed for the group -admin in /etc/group is 10. - -If mod_authz_owner is enabled in your httpd, then that will work with -mod_authz_unixgroup to check access based on file groups. For example if -we do: - - Require unix-file-group - -Then a user will be able to access a file if and only if that file is owned -by a group of which the user is a member. - -Changes from Previous Versions: -------------------------------- - -Previous versions of mod_authz_unixgroup needed a 'AuthzUnixgroup on' to -tell Apache that the "Require file-group" directive was supposed to be -handled by mod_authz_unixgroup. Now we have a distinct directive, -"Require unix-file-group" instead, so the 'AuthzUnixgroup' is no longer -needed and no longer exists. - -Normally, when an access check fails, mod_authz_unixgroup will return a -HTTP 401 error. This will typically cause the browser to pop up a message -saying "Authentication Failed" and then the browser will ask for a new login -name. In some cases this is not the desired behavior. If you are using the -"Require file-group" directive, you may not want to log the user off every time -he hits a file he doesn't have access to. Maybe you'd rather just show a -"Permission denied message" and not log him off. You could do that by -returning 403 error instead of a 401 error. Older versions of -mod_authz_unixgroup had a directive called 'AuthnzUnixgroupError' that did -this, but in Apache 2.4 that is replaced with a new standard Apache directive: - - AuthzUnixgroupAuthoritative off - -There also used to be an 'AuthzUnixgroupAuthoritative' directive which is -also gone, since the whole concept of authoritativeness no longer applies -to access control providers in Apache 2.4. diff --git a/mod_authz_unixgroup/LICENSE b/mod_authz_unixgroup/LICENSE deleted file mode 100644 index d645695..0000000 --- a/mod_authz_unixgroup/LICENSE +++ /dev/null @@ -1,202 +0,0 @@ - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. diff --git a/mod_authz_unixgroup/NOTICE b/mod_authz_unixgroup/NOTICE deleted file mode 100644 index 08d0aa8..0000000 --- a/mod_authz_unixgroup/NOTICE +++ /dev/null @@ -1,8 +0,0 @@ -Mod_authz_unixgroup - - Copyright 2008 Jan Wolter - - This product includes software developed by Jan Wolter. - - This product includes software developed at - The Apache Software Foundation (http://www.apache.org/). diff --git a/mod_authz_unixgroup/README b/mod_authz_unixgroup/README deleted file mode 100644 index 381ca7e..0000000 --- a/mod_authz_unixgroup/README +++ /dev/null @@ -1,61 +0,0 @@ - Mod_Authz_Unixgroup version 1.1.0 - - Author: Jan Wolter - Website: http://www.unixpapa.com/mod_authz_unixgroup/ - Requires: Apache 2.3 or later on a Unix server - (for Apache 2.2 use mod_authz_unixgroup 1.0.x) - -Mod_Authz_Unixgroup is a unix group access control modules for Apache. If -you are having users authenticate with real Unix login ID over the net, using -something like my mod_authnz_external/pwauth combination, and you want to do -access control based on unix group membership, then mod_authz_unixgroup is -exactly what you need. - -Let's say that you were using this with mod_authnz_external and pwauth. Your -.htaccess file for a protected directory would probably start with the -following directives: - - AuthType Basic - AuthName mysite - AuthBasicProvider external - AuthExternal pwauth - -That would cause mod_auth_basic and mod_authnz_external to do authentication -based on the Unix passwd database. Mod_Authz_Unixgroup would come into play -if you wanted to further restrict access to specific Unix groups. You might -append the following directive: - - Require unix-group staff admin - -This would allow only access to accounts in the 'staff' or 'admin' unix groups. -You can alternately specify groups by their gid numbers instead of their names. - -Or you could use mod_authz_unixgroup together with the standard apache module -mod_authz_owner to do something like: - - Require unix-file-group - -This would allow access to the page, only the user was a member of the unix -group that owns the file. - -Though it makes the most sense to use this with unix passwd authentication, -it can be used with other databases. In that case it would grant access if, -(1) the name the user authenticated with exactly matched the name of a real -unix account on the server, and (2) that real unix account was in one of the -required groups. However, I think this would be a pretty senseless way to -use this module. I expect that it will really only be used by user of -mod_authnz_external/pwauth. - -Some authentication modules, like mod_auth_kerb, use usernames that have -domains appended to them, like "whomever@krb.ncsu.edu". In such cases, -mod_authz_unixgroup will take the part before the @-sign as the username -and ignore the rest. - -Mod_authnz_external is available from: - http://code.google.com/p/mod-auth-external/ - -Pwauth is available from: - http://code.google.com/p/pwauth/ - -It might also be possible to use this with mod_auth_shadow, especially if a -authn/authz version of that is ever released. diff --git a/mod_authz_unixgroup/mod_authz_unixgroup.c b/mod_authz_unixgroup/mod_authz_unixgroup.c deleted file mode 100644 index 43c9a0c..0000000 --- a/mod_authz_unixgroup/mod_authz_unixgroup.c +++ /dev/null @@ -1,196 +0,0 @@ -/* Copyright 2008 Jan Wolter - See LICENSE and NOTICE */ - -#include "apr_lib.h" - -#include "ap_config.h" -#include "ap_provider.h" -#include "mod_auth.h" - -#define APR_WANT_STRFUNC -#include "apr_want.h" -#include "apr_strings.h" - -#include "httpd.h" -#include "http_config.h" -#include "http_core.h" -#include "http_log.h" -#include "http_protocol.h" -#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/ -#if HAVE_PWD_H -#include -#endif -#if HAVE_GRP_H -#include -#endif -#if APR_HAVE_UNISTD_H -#include -#endif - -/* - * Structure for the module itself. The actual definition of this structure - * is at the end of the file. - */ -module AP_MODULE_DECLARE_DATA authz_unixgroup_module; - -/* A handle for retrieving the requested file's group from mod_authnz_owner */ -APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); - - -/* Check if the named user is in the given list of groups. The list of - * groups is a string with groups separated by white space. Group ids - * can either be unix group names or numeric group id numbers. There must - * be a unix login corresponding to the named user. - */ - -static int check_unix_group(request_rec *r, const char *grouplist) -{ - char **p; - struct group *grp; - char *user= r->user; - char *w, *at; - - /* Strip @ sign and anything following it from the username. Some - * authentication modules, like mod_auth_kerb like appending such - * stuff to user names, but an @ sign is never legal in a unix login - * name, so it should be safe to always discard such stuff. - */ - if ((at= strchr(user, '@')) != NULL) *at= '\0'; - - /* Get info about login */ - struct passwd *pwd= getpwnam(user); - if (pwd == NULL) - { - /* No such user - forget it */ - if (at != NULL) *at= '@'; - return 0; - } - - /* Loop through list of groups passed in */ - while (*grouplist != '\0') - { - w= ap_getword_conf(r->pool, &grouplist); - if (apr_isdigit(w[0])) - { - /* Numeric group id */ - int gid= atoi(w); - - /* Check if it matches the user's primary group */ - if (gid == pwd->pw_gid) - { - if (at != NULL) *at= '@'; - return 1; - } - - /* Get list of group members for numeric group id */ - grp= getgrgid(gid); - } - else - { - /* Get gid and list of group members for group name */ - grp= getgrnam(w); - /* Check if gid of this group matches user's primary gid */ - if (grp != NULL && grp->gr_gid == pwd->pw_gid) - { - if (at != NULL) *at= '@'; - return 1; - } - } - - /* Walk through list of members, seeing if any match user login */ - if (grp != NULL) - for (p= grp->gr_mem; *p != NULL; p++) - { - if (!strcmp(user, *p)) - { - if (at != NULL) *at= '@'; - return 1; - } - } - } - - /* Didn't find any matches, flunk him */ - if (at != NULL) *at= '@'; - return 0; -} - -static authz_status unixgroup_check_authorization(request_rec *r, - const char *require_args, const void *parsed_require_args) -{ - /* If no authenticated user, pass */ - if ( !r->user ) return AUTHZ_DENIED_NO_USER; - - if (check_unix_group(r,require_args)) - return AUTHZ_GRANTED; - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed. " - "User not in Required unix groups (%s).", - r->user, r->uri, require_args); - - return AUTHZ_DENIED; -} - -APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; - -static authz_status unixfilegroup_check_authorization(request_rec *r, - const char *require_args, const void *parsed_require_args) -{ - const char *filegroup= NULL; - - /* If no authenticated user, pass */ - if ( !r->user ) return AUTHZ_DENIED_NO_USER; - - /* Get group name for requested file from mod_authz_owner */ - filegroup= authz_owner_get_file_group(r); - - if (!filegroup) - /* No errog log entry, because mod_authz_owner already made one */ - return AUTHZ_DENIED; - - if (check_unix_group(r,filegroup)) - return AUTHZ_GRANTED; - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed. " - "User not in Required unix file group (%s).", - r->user, r->uri, filegroup); - - return AUTHZ_DENIED; -} - -static const authz_provider authz_unixgroup_provider = -{ - &unixgroup_check_authorization, - NULL, -}; - -static const authz_provider authz_unixfilegroup_provider = -{ - &unixfilegroup_check_authorization, - NULL, -}; - -static void authz_unixgroup_register_hooks(apr_pool_t *p) -{ - /* Get a handle on mod_authz_owner */ - authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); - - /* Register authz providers */ - ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-group", - AUTHZ_PROVIDER_VERSION, - &authz_unixgroup_provider, AP_AUTH_INTERNAL_PER_CONF); - - ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-file-group", - AUTHZ_PROVIDER_VERSION, - &authz_unixfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF); -} - -module AP_MODULE_DECLARE_DATA authz_unixgroup_module = { - STANDARD20_MODULE_STUFF, - NULL, /* create per-dir config */ - NULL, /* merge per-dir config */ - NULL, /* create per-server config */ - NULL, /* merge per-server config */ - NULL, /* command apr_table_t */ - authz_unixgroup_register_hooks /* register hooks */ -}; diff --git a/mod_authnz_external/test/README b/test/README similarity index 100% rename from mod_authnz_external/test/README rename to test/README diff --git a/mod_authnz_external/test/test.env b/test/test.env old mode 100755 new mode 100644 similarity index 100% rename from mod_authnz_external/test/test.env rename to test/test.env diff --git a/mod_authnz_external/test/test.pipe b/test/test.pipe old mode 100755 new mode 100644 similarity index 100% rename from mod_authnz_external/test/test.pipe rename to test/test.pipe diff --git a/mod_authnz_external/test/test.pipe.php b/test/test.pipe.php old mode 100755 new mode 100644 similarity index 100% rename from mod_authnz_external/test/test.pipe.php rename to test/test.pipe.php diff --git a/mod_authnz_external/test/testgroup.env b/test/testgroup.env old mode 100755 new mode 100644 similarity index 100% rename from mod_authnz_external/test/testgroup.env rename to test/testgroup.env diff --git a/mod_authnz_external/test/testgroup.pipe b/test/testgroup.pipe old mode 100755 new mode 100644 similarity index 100% rename from mod_authnz_external/test/testgroup.pipe rename to test/testgroup.pipe