Re: [mod_lua] Successful arbitrary authentication with denied access on the resource results in a core:error AH00571 message in the logs about a missing AuthType

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Lots of things could be better. To me it is clear that the overall
> system expects an AuthType to be set if you will be doing authn and
> authz.

Thx for clarification - this was at least not clear to me.

> 
> The error message is one indication of that

But it appears only if the authorization backend does deny the access -
if it let you pass, you won't get any error message.
So its difficult to "know" that you should configure it.

> 
> IIUC, a normal authentication provider would check the configured
> authtype. So it would not be ideal for Lua to programatically
> configure it just because the hook has been implemented by a script.

Hm - the lua authz provider here:

https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luaauthzprovider

does not check that, neither any of the other examples there.
So if i use that *normal* one from the example there and tweak it to my
needs i would not know what other providers in general would do -
*normal* makes assumptions about httpd internals on other places which
not anyone has.
Coming from a user perspective which wants to use the things there its
hard to *know* such things - if you're a familiar httpd developer of
cause it seems clear to you.

...
This can be used to implement arbitrary authentication and authorization
checking.
...

To sum it up:

I should set AuthType if i am using some of those handlers, correct?
And do we agree that the docs should mention that?

> 
> > And i am curious - why its dangerous? If it is dangerous - shouldn't the
> > docs have some note about this added?
> > Reading them i was under the impression - and because httpd does not
> > bail about it - that its not needed using the lua handlers.
> 
> To me It's dangerous because to me it looks like
> unintended/undesigned/undefined config/behavior in the area of access
> control and that error message is the hint.

That sounds feasible - but to users of httpd + mod_lua which just read
the docs and does not study the code of other providers - how should
they know that this is a undefined config / behaviour.

The examples and docs imho should mention that, shouldn't it?

And wouldn't it be a good idea to let httpd configtest fail if those
auth handlers are used but no AuthType is set - just to omit undefined
behaviour?

kind regards

Torsten

Attachment: smime.p7s
Description: S/MIME cryptographic signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux