static authz_status group_check_authorization(request_rec *r,
const char *require_args,
const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
char *user = r->user;
const char *t, *w;
apr_table_t *grpstatus = NULL;
apr_status_t status;
if (!user) {
return AUTHZ_DENIED_NO_USER;
}
/* If there is no group file - then we are not
* configured. So decline.
*/
if (!(conf->groupfile)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01664)
"No group file was specified in the configuration");
return AUTHZ_DENIED;
}
status = groups_for_user(r->pool, user, conf->groupfile,
&grpstatus);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01665)
"Could not open group file: %s",
conf->groupfile);
return AUTHZ_DENIED;
}
if (apr_is_empty_table(grpstatus)) {
/* no groups available, so exit immediately */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01666)
"Authorization of user %s to access %s failed, reason: "
"user doesn't appear in group file (%s).",
r->user, r->uri, conf->groupfile);
return AUTHZ_DENIED;
}
t = require_args;
while ((w = ap_getword_conf(r->pool, &t)) && w[0]) {
if (apr_table_get(grpstatus, w)) {
return AUTHZ_GRANTED;
}
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01667)
"Authorization of user %s to access %s failed, reason: "
"user is not part of the 'require'ed group(s).",
r->user, r->uri);
return AUTHZ_DENIED;
}
static authz_status filegroup_check_authorization(request_rec *r,
const char *require_args,
const void *parsed_require_args)
{
authz_groupfile_config_rec *conf = ap_get_module_config(r->per_dir_config,
&authz_groupfile_module);
char *user = r->user;
apr_table_t *grpstatus = NULL;
apr_status_t status;
const char *filegroup = NULL;
if (!user) {
return AUTHZ_DENIED_NO_USER;
}
/* If there is no group file - then we are not
* configured. So decline.
*/
if (!(conf->groupfile)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01668)
"No group file was specified in the configuration");
return AUTHZ_DENIED;
}
status = groups_for_user(r->pool, user, conf->groupfile,
&grpstatus);
if (status != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01669)
"Could not open group file: %s",
conf->groupfile);
return AUTHZ_DENIED;
}
if (apr_is_empty_table(grpstatus)) {
/* no groups available, so exit immediately */
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01670)
"Authorization of user %s to access %s failed, reason: "
"user doesn't appear in group file (%s).",
r->user, r->uri, conf->groupfile);
return AUTHZ_DENIED;
}
filegroup = authz_owner_get_file_group(r);
if (filegroup) {
if (apr_table_get(grpstatus, filegroup)) {
return AUTHZ_GRANTED;
}
}
else {
/* No need to emit a error log entry because the call
to authz_owner_get_file_group already did it
for us.
*/
return AUTHZ_DENIED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01671)
"Authorization of user %s to access %s failed, reason: "
"user is not part of the 'require'ed file group.",
r->user, r->uri);
return AUTHZ_DENIED;
}
static int check_user_access(request_rec *r)
{
auth_config_rec *sec =
(auth_config_rec *) ap_get_module_config(r->per_dir_config, &auth_module);
char *user = r->connection->user;
int m = r->method_number;
int method_restricted = 0;
register int x;
const char *t, *w;
table *grpstatus;
const array_header *reqs_arr = ap_requires(r);
require_line *reqs;
/* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
* then any user will do.
*/
if (reqs_arr == NULL) {
return (OK);
}
reqs = (require_line *) reqs_arr->elts;
if (sec->auth_grpfile) {
grpstatus = groups_for_user(r->pool, user, sec->auth_grpfile);
}
else {
grpstatus = NULL;
}
for (x = 0; x < reqs_arr->nelts; x++) {
if (! (reqs[x].method_mask & (1 << m))) {
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (strcmp(w, "valid-user") == 0) {
return OK;
}
/*
* If requested, allow access if the user is valid and the
* owner of the document.
*/
if (strcmp(w, "file-owner") == 0) {
#if defined(WIN32) || defined(NETWARE) || defined(OS2)
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"'Require file-owner' not supported "
"on this platform, ignored");
continue;
#else
struct passwd *pwent;
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking for 'owner' access for file '%s'",
r->filename);
if (r->finfo.st_ino == 0) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no stat info for '%s'", r->filename);
continue;
}
pwent = getpwuid(r->finfo.st_uid);
if (pwent == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no username for UID %d (owner of '%s')",
r->finfo.st_uid, r->filename);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking authenticated user '%s' "
"against owner '%s' of '%s'",
user, pwent->pw_name, r->filename);
if (strcmp(user, pwent->pw_name) == 0) {
return OK;
}
else {
continue;
}
}
#endif
}
if (strcmp(w, "file-group") == 0) {
#if defined(WIN32) || defined(NETWARE) || defined(OS2)
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"'Require file-group' not supported "
"on this platform, ignored");
continue;
#else
struct group *grent;
if (sec->auth_grpfile == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_INFO, r,
"no AuthGroupFile, so 'file-group' "
"requirement cannot succeed for file '%s'",
r->filename);
continue;
}
if (grpstatus == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, r,
"authenticated user '%s' not a member of "
"any groups, so 'file-group' requirement "
"cannot succeed for file '%s'",
user, r->filename);
continue;
}
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking for 'group' access for file '%s'",
r->filename);
if (r->finfo.st_ino == 0) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no stat info for '%s'", r->filename);
continue;
}
grent = getgrgid(r->finfo.st_gid);
if (grent == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"no group name for GID %d (owner of '%s')",
r->finfo.st_gid, r->filename);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_DEBUG, r,
"checking groups of authenticated user '%s' "
"against owner group '%s' of '%s'",
user, grent->gr_name, r->filename);
if (ap_table_get(grpstatus, grent->gr_name) != NULL) {
return OK;
}
else {
continue;
}
}
#endif
}
if (strcmp(w, "user") == 0) {
while (t[0] != '\0') {
w = ap_getword_conf(r->pool, &t);
if (strcmp(user, w) == 0) {
return OK;
}
}
}
else if (strcmp(w, "group") == 0) {
if (grpstatus == NULL) {
return DECLINED; /* DBM group? Something else? */
}
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (ap_table_get(grpstatus, w)) {
return OK;
}
}
}
else if (sec->auth_authoritative) {
/* if we aren't authoritative, any require directive could be
* valid even if we don't grok it. However, if we are
* authoritative, we can warn the user they did something wrong.
* That something could be a missing "AuthAuthoritative off", but
* more likely is a typo in the require directive.
*/
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"access to %s failed, "
"reason: unknown require directive:"
"\"%s\"", r->uri, reqs[x].requirement);
}
}
if (! method_restricted) {
return OK;
}
if (! sec->auth_authoritative) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, user);
ap_note_basic_auth_failure(r);
return AUTH_REQUIRED;
}
static int check_user_access(request_rec *r)
{
auth_config_rec *conf = ap_get_module_config(r->per_dir_config,
&auth_module);
char *user = r->user;
int m = r->method_number;
int method_restricted = 0;
register int x;
const char *t, *w;
apr_table_t *grpstatus;
const apr_array_header_t *reqs_arr = ap_requires(r);
require_line *reqs;
/* BUG FIX: tadc, 11-Nov-1995. If there is no "requires" directive,
* then any user will do.
*/
if (!reqs_arr) {
return OK;
}
reqs = (require_line *)reqs_arr->elts;
if (conf->auth_grpfile) {
grpstatus = groups_for_user(r, user, conf->auth_grpfile);
}
else {
grpstatus = NULL;
}
for (x = 0; x < reqs_arr->nelts; x++) {
if (!(reqs[x].method_mask & (AP_METHOD_BIT << m))) {
continue;
}
method_restricted = 1;
t = reqs[x].requirement;
w = ap_getword_white(r->pool, &t);
if (!strcmp(w, "valid-user")) {
return OK;
}
if (!strcmp(w, "user")) {
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (!strcmp(user, w)) {
return OK;
}
}
}
else if (!strcmp(w, "group")) {
if (!grpstatus) {
return DECLINED; /* DBM group? Something else? */
}
while (t[0]) {
w = ap_getword_conf(r->pool, &t);
if (apr_table_get(grpstatus, w)) {
return OK;
}
}
}
else if (conf->auth_authoritative) {
/* if we aren't authoritative, any require directive could be
* valid even if we don't grok it. However, if we are
* authoritative, we can warn the user they did something wrong.
* That something could be a missing "AuthAuthoritative off", but
* more likely is a typo in the require directive.
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: unknown require "
"directive:\"%s\"", r->uri, reqs[x].requirement);
}
}
if (!method_restricted) {
return OK;
}
if (!(conf->auth_authoritative)) {
return DECLINED;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"access to %s failed, reason: user %s not allowed access",
r->uri, user);
ap_note_basic_auth_failure(r);
return HTTP_UNAUTHORIZED;
}