Re: using multiple LimitExcept directives

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
>
> On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@xxxxxxxxx> wrote:
>>
>> Folks,
>>
>> I'm attempting to using multiple LimitExcept directives in one
>> Location.  Basically I want to give a the "Actor" ldap group  GET &
>> PUTT access, the "WeatherMan" ldap group only GET access, and the
>> "Actor" ldap group PUT access.  I'm open to using either apache 2.2 or
>> 2.4, as I see that apache 2.4 supports nesting of the Limit and
>> LimitExcept directives.  This is what I've tried so far:
>>
>
> Can you please first check the above bold out groups for us? Is that correct
> or one of them should be Artist instead?
>

I realize there was a typo there, sorry about that.   I said Actor
twice.  The groups should be Artist, Actor, and WeatherMan  Here's the
proper text:

Basically I want to give a the "Artist" ldap group  GET & PUT access,
the "WeatherMan" ldap group only GET access, and the "Actor" ldap
group PUT access.  I'm open to using either apache 2.2 or 2.4, as I
see that apache 2.4 supports nesting of the Limit and LimitExcept
directives.  This is what I've tried so far:

<Location>
<LimitExcept GET PUT>
    Require ldap-group cn=Artist, ou=groups, o=company
</LimitExcept>
 <LimitExcept GET>
        Require ldap-group cn=WeatherMan, ou=groups, o=company
 </LimitExcept>
 <LimitExcept PUT>
        Require ldap-group cn=Actor, ou=groups, o=company
 </LimitExcept>
</Location>

>>
>> <Location "/boballcharlieputs">
>>   AuthType Basic
>>   AuthName "Secure Area"
>>   AuthBasicProvider ldap
>>    AuthLDAPURL
>> "ldap://localhost:10389/ou=users,o=company?uid";
>>   AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>>   AuthLDAPBindPassword password
>
>
>> <LimitExcept GET PUT>
>>     Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>
> From the docs:
>
> <LimitExcept> and </LimitExcept> are used to enclose a group of access
> control directives which will then apply to any HTTP access method not
> listed in the arguments
>

It is my understanding that if you have GET PUT within LimitExcept
then you are limiting all operations *except* GET & PUT.


> In this context, isn't your above statement actually achieving the opposite
> from what you want?
>
>>  <LimitExcept GET>
>>         Require ldap-group cn=WeatherMan, ou=groups, o=company
>>  </LimitExcept>
>>  <LimitExcept PUT>
>>         Require ldap-group cn=Actor, ou=groups, o=company
>>  </LimitExcept>
>> </Location>
>>
>> In this case Apache only processes the last LimitExcept, so only
>> operation that is successful is the PUT by a user in the Actor ldap
>> group.
>>
>>
>> I've also attempted to nest these statements (new feature in 2.4) and
>> apache complains:
>>
>> "<LimitExcept> directive specifies methods already excluded"
>>
>> Here is that example:
>>
>> <LimitExcept GET PUT>
>>     Require ldap-group cn=Artist, ou=groups, o=bashoproserv
>>     <LimitExcept PUT>
>>         Require ldap-group cn=Actor, ou=groups, o=bashoproserv
>>     </LimitExcept>
>> </LimitExcept>
>>
>
> So is it Actor or Artist or both??? Can't see Artist in the first example...
>
> The docs further say:
>
> The <Limit> and <LimitExcept> directives may be nested. In this case, each
> successive level of <Limit> or <LimitExcept> directives must further
> restrict the set of methods to which access controls apply.
>
> When using <Limit> or <LimitExcept> directives with the Require directive,
> note that the first Require to succeed authorizes the request, regardless of
> the presence of other Require directives.
>
> So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and
> having the above said in mind, I would try something like this:
>
>
> <Limit GET PUT>
>    Require ldap-group cn=Artist, ou=groups, o=company
> </Limit>
> <Limit GET>
>
>    Require ldap-group cn=WeatherMan, ou=groups, o=company
> </Limit>
> <Limit PUT>
>
>    Require ldap-group cn=Actor, ou=groups, o=company
> </Limit>
>

I attempted your method and it *does* seem to work as I wanted
(thanks!); however, my concern is as per the docs:

"""
The following example applies the access control only to the methods
POST, PUT, and DELETE, leaving all other methods unprotected:

<Limit POST PUT DELETE>
  Require valid-user
</Limit>
"""

To me that means that  GET, CONNECT, OPTIONS, PATCH, PROPFIND,
PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
all.

It also mentions

"""
A <LimitExcept> section should always be used in preference to a
<Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
"""

Perhaps I need to combine the Limit with a LimitExcept so catch all of
the other methods not defined?

Thanks,

- James


>> I feel like I'm very close to getting this working, but I'm not quite
>> grasping how to stack the LimitExcepts properly.
>>
>> Thanks for your help,
>>
>>
>> James
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux