Hello,i tried a lot of stuff. Yes, setting uid in itk_map_to_storage() oder in itk_dirwalk_stat() will work, but it is too early for the other modules:
Authentication and Authorization are done by mod_auth_openidc. After this step, the external user is known and mod_lua runs to map the external user to the local user. So, the mpm_itk module doesn't know the user during map_to_storage or dirwalk_stat step. Authentication and autorization is handled after dirwalk_stat.
I tried to run dirwalk_stat REALLY_LAST, but this made it worse. In this configuration, the ap_hook_dirwalk_statn didn't replace the original dirwalk_stat of apache2-httpd. So this was run first. I also tried a hack, to run a dirwalk_stat_dummy() MIDDLE or LAST and my dirwalk_stat() REALLY_LAST too. The dummy function was called, but the REALLY_LAST not.
Maybe there is some way to run the mod_auth_openidc earlier. I am able to run the lua step early, by setting a different lua hook. But mod_auth_openidc may not have the flexibility. This will end up in a really hacky mess.
Do you have some ideas? Maybe a way to shift ap_hook_dirwalk_stat() after ap_hook_auth_checker()? I don't need htaccess.
I believe all filesystem operations should happen after Auth, because users without permissions should trigger less possible actions on the system. If file system operations happen before authentication, it is easy to ddos and there will be some information leak, because the latency of the response varies depending on the existence of the resource.
Best regards Stefan Helmert Am 31.03.23 um 15:10 schrieb Yann Ylavic:
On Fri, Mar 31, 2023 at 2:46 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:On Fri, Mar 31, 2023 at 2:27 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:Hello, On Fri, Mar 31, 2023 at 8:18 AM Stefan Helmert <s.helmert@xxxxxxx> wrote:in my setup, httpd runs on a specific uid and delegates transfers to mpm_itk with AssignUserIDExpr %{reqenv:MAPPED_USER} dynamic uid. The problem is: httpd runs ap_directory_walk() with its own uid before delegating to mpm_itk with the dynamic uid. This fails, because httpd doesn't have the permissions to read the directory. How can I disable ap_directory_walk() or delegate it to mpm_itk?I can't think of a configuration that could change this behaviour, but if you can patch mpm_itk I'd suggest to try to make the itk_post_perdir_config hook an itk_map_to_storage hook instead (APR_HOOK_REALLY_FIRST still, but returning DECLINED on success so that the next map_to_storage hooks run too). That's from a quick look at mpm_itk code (and I know very little about this MPM), but it looks like it could work..So something like the attached patch possibly.[sorry for the spam, reading more of mpm_itk code..] The comment on itk_dirwalk_stat() suggests that it should be allowed to read any file with httpd's uid/gid rights and that the switch to AssignUserID should happen later (though there is an issue with kept-alive connections obviously once the ids are changed..). So I'm not sure what the security model of mpm_itk is, it seems that files should still be "owned" by httpd's user so that once AssignUserID is in place it can't do anything with them, which is not the same as setting files access rights to each AssignUserID individually. So be aware that the proposed patch here is probably not what mpm_itk users usually want..Regards; Yann.--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
|