[mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am using an arbitrary authentication with mod_lua which works so far.

Authentication is done via mod_lua:

https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid

Authorization is done via mod_authz_svn.

I did that and set r.user = 'foo' to the request - just always the same
for this example, which is neither None, Form, Basic, or Digest
AuthType.

If a later authz_module in the stack, e.g. mod_authz_svn denies, based
on authorization rules in the authz access file, that request to the
user foo, you get the correct result (Forbidden):

[Wed Jan 24 10:46:27.544461 2018] [authz_svn:debug] [pid 7979:tid 140737136023296] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19868] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz
[Wed Jan 24 10:46:34.792089 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792152 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792167 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792176 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[Wed Jan 24 10:46:34.792570 2018] [lua:debug] [pid 7979:tid 140737136023296] lua_request.c(1848): [client 127.0.0.1:19868] AH01487: request_rec->dispatching debug -> lua_CFunction
[Wed Jan 24 10:46:34.792586 2018] [lua:debug] [pid 7979:tid 140737136023296] @/etc/apache2/auth.lua(13): [client 127.0.0.1:19868] user foo: OK
[Wed Jan 24 10:46:34.792611 2018] [authz_svn:debug] [pid 7979:tid 140737136023296] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19868] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz
[Wed Jan 24 10:46:34.792664 2018] [authz_svn:error] [pid 7979:tid 140737136023296] [client 127.0.0.1:19868] Access denied: 'foo' GET basic_tests-10:/iota

The problem in terms of log output is the next line in the log:

[Wed Jan 24 10:46:34.792675 2018] [core:error] [pid 7979:tid 140737136023296] [client 127.0.0.1:19868] AH00571: need AuthType to note auth failure: /svn-test-work/repositories/basic_tests-10/iota

For every denied request i get that - but AuthType is from here:

https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype

I've implemented neither None, Basic, Digest or Form - so i did not set that on purpose, i just used the LuaHookCheckUserID directive to implement my arbitrary authentication hook - so its more something like AuthType == CUSTOM.

 62 <Location /svn-test-work/repositories>                                
 63   DAV               svn                                               
 64   SVNParentPath     "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
 65   LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early       
 66   AuthzSVNAccessFile "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
 67   Require           valid-user                                        
 68   SVNAdvertiseV2Protocol on                                           
 69   SVNCacheRevProps  off                                               
 70 </Location>   

Can this check:

https://marc.info/?l=apache-httpd-dev&m=100690636419555&w=1

take into account that auth is configured via the mod_lua hooks and that AuthType is not set, authentication was done but it was denied to the user on purpose - this should not log a core:error in that case, opinions?

kind regards

Torsten

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux