mod_authz_unixgroup-1.1.0/0000755000175000001440000000000011643376700014321 5ustar janusersmod_authz_unixgroup-1.1.0/mod_authz_unixgroup.c0000644000175000001440000001246311643376700020605 0ustar janusers/* Copyright 2008 Jan Wolter - See LICENSE and NOTICE */ #include "apr_lib.h" #include "ap_config.h" #include "ap_provider.h" #include "mod_auth.h" #define APR_WANT_STRFUNC #include "apr_want.h" #include "apr_strings.h" #include "httpd.h" #include "http_config.h" #include "http_core.h" #include "http_log.h" #include "http_protocol.h" #include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/ #if HAVE_PWD_H #include #endif #if HAVE_GRP_H #include #endif #if APR_HAVE_UNISTD_H #include #endif /* * Structure for the module itself. The actual definition of this structure * is at the end of the file. */ module AP_MODULE_DECLARE_DATA authz_unixgroup_module; /* A handle for retrieving the requested file's group from mod_authnz_owner */ APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); /* Check if the named user is in the given list of groups. The list of * groups is a string with groups separated by white space. Group ids * can either be unix group names or numeric group id numbers. There must * be a unix login corresponding to the named user. */ static int check_unix_group(request_rec *r, const char *grouplist) { char **p; struct group *grp; char *user= r->user; char *w, *at; /* Strip @ sign and anything following it from the username. Some * authentication modules, like mod_auth_kerb like appending such * stuff to user names, but an @ sign is never legal in a unix login * name, so it should be safe to always discard such stuff. */ if ((at= strchr(user, '@')) != NULL) *at= '\0'; /* Get info about login */ struct passwd *pwd= getpwnam(user); if (pwd == NULL) { /* No such user - forget it */ if (at != NULL) *at= '@'; return 0; } /* Loop through list of groups passed in */ while (*grouplist != '\0') { w= ap_getword_conf(r->pool, &grouplist); if (apr_isdigit(w[0])) { /* Numeric group id */ int gid= atoi(w); /* Check if it matches the user's primary group */ if (gid == pwd->pw_gid) { if (at != NULL) *at= '@'; return 1; } /* Get list of group members for numeric group id */ grp= getgrgid(gid); } else { /* Get gid and list of group members for group name */ grp= getgrnam(w); /* Check if gid of this group matches user's primary gid */ if (grp != NULL && grp->gr_gid == pwd->pw_gid) { if (at != NULL) *at= '@'; return 1; } } /* Walk through list of members, seeing if any match user login */ if (grp != NULL) for (p= grp->gr_mem; *p != NULL; p++) { if (!strcmp(user, *p)) { if (at != NULL) *at= '@'; return 1; } } } /* Didn't find any matches, flunk him */ if (at != NULL) *at= '@'; return 0; } static authz_status unixgroup_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { /* If no authenticated user, pass */ if ( !r->user ) return AUTHZ_DENIED_NO_USER; if (check_unix_group(r,require_args)) return AUTHZ_GRANTED; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Authorization of user %s to access %s failed. " "User not in Required unix groups (%s).", r->user, r->uri, require_args); return AUTHZ_DENIED; } APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; static authz_status unixfilegroup_check_authorization(request_rec *r, const char *require_args, const void *parsed_require_args) { const char *filegroup= NULL; /* If no authenticated user, pass */ if ( !r->user ) return AUTHZ_DENIED_NO_USER; /* Get group name for requested file from mod_authz_owner */ filegroup= authz_owner_get_file_group(r); if (!filegroup) /* No errog log entry, because mod_authz_owner already made one */ return AUTHZ_DENIED; if (check_unix_group(r,filegroup)) return AUTHZ_GRANTED; ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Authorization of user %s to access %s failed. " "User not in Required unix file group (%s).", r->user, r->uri, filegroup); return AUTHZ_DENIED; } static const authz_provider authz_unixgroup_provider = { &unixgroup_check_authorization, NULL, }; static const authz_provider authz_unixfilegroup_provider = { &unixfilegroup_check_authorization, NULL, }; static void authz_unixgroup_register_hooks(apr_pool_t *p) { /* Get a handle on mod_authz_owner */ authz_owner_get_file_group = APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); /* Register authz providers */ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-group", AUTHZ_PROVIDER_VERSION, &authz_unixgroup_provider, AP_AUTH_INTERNAL_PER_CONF); ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "unix-file-group", AUTHZ_PROVIDER_VERSION, &authz_unixfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF); } module AP_MODULE_DECLARE_DATA authz_unixgroup_module = { STANDARD20_MODULE_STUFF, NULL, /* create per-dir config */ NULL, /* merge per-dir config */ NULL, /* create per-server config */ NULL, /* merge per-server config */ NULL, /* command apr_table_t */ authz_unixgroup_register_hooks /* register hooks */ }; mod_authz_unixgroup-1.1.0/LICENSE0000644000175000001440000002613611643376700015336 0ustar janusers Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. mod_authz_unixgroup-1.1.0/README0000644000175000001440000000502011643376700015176 0ustar janusers Mod_Authz_Unixgroup version 1.1.0 Author: Jan Wolter Website: http://www.unixpapa.com/mod_authz_unixgroup/ Requires: Apache 2.3 or later on a Unix server (for Apache 2.2 use mod_authz_unixgroup 1.0.x) Mod_Authz_Unixgroup is a unix group access control modules for Apache. If you are having users authenticate with real Unix login ID over the net, using something like my mod_authnz_external/pwauth combination, and you want to do access control based on unix group membership, then mod_authz_unixgroup is exactly what you need. Let's say that you were using this with mod_authnz_external and pwauth. Your .htaccess file for a protected directory would probably start with the following directives: AuthType Basic AuthName mysite AuthBasicProvider external AuthExternal pwauth That would cause mod_auth_basic and mod_authnz_external to do authentication based on the Unix passwd database. Mod_Authz_Unixgroup would come into play if you wanted to further restrict access to specific Unix groups. You might append the following directive: Require unix-group staff admin This would allow only access to accounts in the 'staff' or 'admin' unix groups. You can alternately specify groups by their gid numbers instead of their names. Or you could use mod_authz_unixgroup together with the standard apache module mod_authz_owner to do something like: Require unix-file-group This would allow access to the page, only the user was a member of the unix group that owns the file. Though it makes the most sense to use this with unix passwd authentication, it can be used with other databases. In that case it would grant access if, (1) the name the user authenticated with exactly matched the name of a real unix account on the server, and (2) that real unix account was in one of the required groups. However, I think this would be a pretty senseless way to use this module. I expect that it will really only be used by user of mod_authnz_external/pwauth. Some authentication modules, like mod_auth_kerb, use usernames that have domains appended to them, like "whomever@krb.ncsu.edu". In such cases, mod_authz_unixgroup will take the part before the @-sign as the username and ignore the rest. Mod_authnz_external is available from: http://code.google.com/p/mod-auth-external/ Pwauth is available from: http://code.google.com/p/pwauth/ It might also be possible to use this with mod_auth_shadow, expecially if a authn/authz version of that is ever released. mod_authz_unixgroup-1.1.0/NOTICE0000644000175000001440000000033211643376700015223 0ustar janusersMod_authz_unixgroup Copyright 2008 Jan Wolter This product includes software developed by Jan Wolter. This product includes software developed at The Apache Software Foundation (http://www.apache.org/). mod_authz_unixgroup-1.1.0/CHANGES0000644000175000001440000000336011643376700015316 0ustar janusersv1.1.0 (Jan Wolter - Oct 6, 2011) ----------------------------------- * Revised to work as an access control provider in Apache 2.4. * Eliminated "AuthzUnixgroup on" directive because it is no longer needed. * Eliminated "AuthnzUnixgroupError 403" directive because it is supplanted by "AuthzSendForbiddenOnFailure On". * Eliminated "AuthzUnixgroupAuthoritative off" directive because the whole concept of authoritativeness is dead for access control providers in Apache 2.4. v1.0.3 (Jan Wolter - Oct 6, 2011) ------------------------------------ * Allow group names to be quoted, so that you can have group names with spaces in them. This change was suggested by David Homborg. * Document updated with references to versions for Apache 2.4. v1.0.2 (Jan Wolter - May 21, 2009) ------------------------------------ * Adding copyright and Apache Version 2.0 license in LICENSE and NOTICE files. * New directive: AuthzUnixgroupError, can be used to specify the HTTP error number to be returned on failure. v1.0.1 (Jan Wolter - Aug 6, 2008) ------------------------------------ * Delete various logging statements that were really just there for debugging and should have been removed sooner. * If there is an '@' in the user's login name, strip off that and anything after it. An '@' sign is never legal in an unix login name, and some authentication modules, like mod_auth_kerb, append an "@domain" to the user's login name. Both of the above modifications are inspired by patches made by Ken Lalonde . * Included "http_request.h" header file to surpress a harmless compile-time warning. v1.0.0 (Jan Wolter - Feb 19, 2006) ------------------------------------ * Original release mod_authz_unixgroup-1.1.0/INSTALL0000644000175000001440000001451311643376700015356 0ustar janusersHow to install mod_authz_unixgroup.c into Apache: NOTES: * Different versions of Apache require different versions of mod_authz_unixgroup: Apache 2.2.x requires mod_authz_unixgroup 1.0.x Apache 2.4.x requires mod_authz_unixgroup 1.1.x * There are two ways of installing mod_authz_unixgroup. (1) You can statically link it with Apache. This requires rebuilding Apache in such a way that mod_authz_unixgroup will be compiled in. (2) You can make mod_authz_unixgroup a dynamically loaded module. If your Apache has been built to support dynamically loaded modules you can do this without rebuilding Apache, so it is pretty easy. Performance may be slightly worse with this option. For information on dynamically loaded modules see http://www.apache.org/docs/dso.html Instructions for both options are given here. * There is also documentation in the README file. If you find this document unclear, reading that may help. INSTALL METHOD A: Dynamically Linking Mod_authz_unixgroup using apxs: --------------------------------------------------------------------- Step 1: Ensure that your Apache server is configured to handle dynamically loaded modules. To check this, run Apache server with the -l command flag, like httpd -l If mod_so.c is one of the compiled-in modules, then you are ready to go. Step 2: Compile the module using the following command in the mod_authz_unixgroup distribution directory: apxs -c mod_authz_unixgroup.c 'Apxs' is the Apache extension tool. It is part of the standard Apache installation. If you don't have it, then your Apache server is probably not set up for handling dynamically loaded modules. This should create a file named 'mod_authz_unixgroup.so'. Step 3: Install the module. Apxs can do this for you too. Do the following command (as root so you can write to Apache's directories and config files): apxs -i -a mod_authz_unixgroup.la This will create mod_authz_unixgroup.so and copy it into the proper place, and add appropriate AddModule and LoadModule commands to the configuration files. (Actually, it may get the LoadModule command wrong. See below.) Step 4: Go to the CONFIGURATION instructions below. INSTALL METHOD B: Statically Linking ------------------------------------ Step 1: Read the instructions on how to configure the Apache server in the INSTALL file provided with the Apache source. Step 2: When you run the ./configure script, include an --with-module flag, giving the full pathname to the mod_authz_unixgroup.c file in this distribution. For example, if you have unpacked this distribution in /usr/local/src/mod_authz_unixgroup and are building Apache for installation in /usr/local/apache, you might do: ./configure --prefix=/usr/local/apache \ --with-module=aaa:/usr/local/src/mod_authz_unixgroup/mod_authz_unixgroup.c This will copy the mod_authz_unixgroup.c file into the correct place in the Apache source tree and set things up to link it in. Step 3: Type "make" to compile Apache and "make install" to install it. Step 4: Go to the CONFIGURATION instructions below. CONFIGURATION: -------------- Mod_authz_unixgroup is extremely simple to use. Presumably you already are setting up some kind of authentication in a .htaccess file or in a block in the httpd.conf file. You'll just need to change the "Require" directive there to something like: Require unix-group admin or Require unix-group students teachers staff Obviously this only makes sense in a directory where you are doing authentication. This could be any kind of authentication, but it makes most sense if you are using it in combination with authentication out of the unix password file, perhaps using mod_auth_external together with pwauth, or mod_auth_shadow. The "Require group" directive will then cause mod_authz_unixgroup to check if the user is in one of the groups listed, and reject the authentication if they are not. A user is considered to be in a group if either (1) the group is the user's primary group identified by it's gid number in /etc/passwd, or (2) the group is listed in /etc/group and the user id is listed as a member of that group. If you are authenticating out of something other than the unix password database, then this can be used, but the effect is a bit odd. To pass the "Require group" test, there must (1) exist a unix account with the same name as the account the user authenticated in, and (2) that unix account must be in one of the unix groups listed on the Require line. It is also possible to list groups by gid number instead of name, like Require unix-group 10 would be equivalent to "Require group admin" if the gid listed for the group admin in /etc/group is 10. If mod_authz_owner is enabled in your httpd, then that will work with mod_authz_unixgroup to check access based on file groups. For example if we do: Require unix-file-group Then a user will be able to access a file if and only if that file is owned by a group of which the user is a member. Changes from Previous Versions: ------------------------------- Previous versions of mod_authz_unixgroup needed a 'AuthzUnixgroup on' to tell Apache that the "Require file-group" directive was supposed to be handled by mod_authz_unixgroup. Now we have a distinct directive, "Require unix-file-group" instead, so the 'AuthzUnixgroup' is no longer needed and no longer exists. Normally, when an access check fails, mod_authz_unixgroup will return a HTTP 401 error. This will typically cause the browser to pop up a message saying "Authentication Failed" and then the browser will ask for a new login name. In some cases this is not the desired behavior. If you are using the "Require file-group" directive, you may not want to log the user off every time he hits a file he doesn't have access to. Maybe you'd rather just show a "Permission denied message" and not log him off. You could do that by returning 403 error instead of a 401 error. Older versions of mod_authz_unixgroup had a directive called 'AuthnzUnixgroupError' that did this, but in Apache 2.4 that is replaced with a new standard Apache directive: AuthzUnixgroupAuthoritative off There also used to be an 'AuthzUnixgroupAuthoritative' directive which is also gone, since the whole concept of authoritativeness no longer applies to access control providers in Apache 2.4.