static authz_status unixfilegroup_check_authorization(request_rec *r,
const char *require_args, const void *parsed_require_args)
{
const char *filegroup= NULL;
/* If no authenticated user, pass */
if ( !r->user ) return AUTHZ_DENIED_NO_USER;
/* Get group name for requested file from mod_authz_owner */
filegroup= authz_owner_get_file_group(r);
if (!filegroup)
/* No errog log entry, because mod_authz_owner already made one */
return AUTHZ_DENIED;
if (check_unix_group(r,filegroup))
return AUTHZ_GRANTED;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Authorization of user %s to access %s failed. "
"User not in Required unix file group (%s).",
r->user, r->uri, filegroup);
return AUTHZ_DENIED;
}
static authz_status unixgroup_check_authorization(request_rec *r,
const char *require_args, const void *parsed_require_args)
{
/* If no authenticated user, pass */
if ( !r->user ) return AUTHZ_DENIED_NO_USER;
if (check_unix_group(r,require_args))
return AUTHZ_GRANTED;
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Authorization of user %s to access %s failed. "
"User not in Required unix groups (%s).",
r->user, r->uri, require_args);
return AUTHZ_DENIED;
}
static int authz_unixgroup_check_user_access(request_rec *r)
{
authz_unixgroup_dir_config_rec *dir= (authz_unixgroup_dir_config_rec *)
ap_get_module_config(r->per_dir_config, &authz_unixgroup_module);
int m= r->method_number;
int required_group= 0;
register int x;
const char *t, *w;
const apr_array_header_t *reqs_arr= ap_requires(r);
const char *filegroup= NULL;
require_line *reqs;
/* If not enabled, pass */
if ( !dir->enabled ) return DECLINED;
/* If there are no Require arguments, pass */
if (!reqs_arr) return DECLINED;
reqs= (require_line *)reqs_arr->elts;
/* Loop through the "Require" argument list */
for(x= 0; x < reqs_arr->nelts; x++)
{
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) continue;
t= reqs[x].requirement;
w= ap_getword_white(r->pool, &t);
/* The 'file-group' directive causes mod_authz_owner to store the
* group name of the file we are trying to access in a note attached
* to the request. It's our job to decide if the user actually is
* in that group. If the note is missing, we just ignore it.
* Probably mod_authz_owner is not installed.
*/
if ( !strcasecmp(w, "file-group"))
{
filegroup= apr_table_get(r->notes, AUTHZ_GROUP_NOTE);
if (filegroup == NULL) continue;
}
if ( !strcmp(w,"group") || filegroup != NULL)
{
required_group= 1;
if (filegroup)
{
/* Check if user is in the group that owns the file */
if (check_unix_group(r,filegroup))
return OK;
}
else if (t[0])
{
/* Pass rest of require line to authenticator */
if (check_unix_group(r,t))
return OK;
}
}
}
/* If we didn't see a 'require group' or aren't authoritive, decline */
if (!required_group || !dir->authoritative)
return DECLINED;
/* Authentication failed and we are authoritive, declare unauthorized */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, r->user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}
