|
Packit |
90a5c9 |
/* Licensed to the Apache Software Foundation (ASF) under one or more
|
|
Packit |
90a5c9 |
* contributor license agreements. See the NOTICE file distributed with
|
|
Packit |
90a5c9 |
* this work for additional information regarding copyright ownership.
|
|
Packit |
90a5c9 |
* The ASF licenses this file to You under the Apache License, Version 2.0
|
|
Packit |
90a5c9 |
* (the "License"); you may not use this file except in compliance with
|
|
Packit |
90a5c9 |
* the License. You may obtain a copy of the License at
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
90a5c9 |
*
|
|
Packit |
90a5c9 |
* Unless required by applicable law or agreed to in writing, software
|
|
Packit |
90a5c9 |
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
Packit |
90a5c9 |
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
Packit |
90a5c9 |
* See the License for the specific language governing permissions and
|
|
Packit |
90a5c9 |
* limitations under the License.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "apr_strings.h"
|
|
Packit |
90a5c9 |
#include "apr_file_info.h"
|
|
Packit |
90a5c9 |
#include "apr_user.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "ap_config.h"
|
|
Packit |
90a5c9 |
#include "ap_provider.h"
|
|
Packit |
90a5c9 |
#include "httpd.h"
|
|
Packit |
90a5c9 |
#include "http_config.h"
|
|
Packit |
90a5c9 |
#include "http_core.h"
|
|
Packit |
90a5c9 |
#include "http_log.h"
|
|
Packit |
90a5c9 |
#include "http_protocol.h"
|
|
Packit |
90a5c9 |
#include "http_request.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#include "mod_auth.h"
|
|
Packit |
90a5c9 |
#include "mod_authz_owner.h"
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const command_rec authz_owner_cmds[] =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
{NULL}
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
module AP_MODULE_DECLARE_DATA authz_owner_module;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static authz_status fileowner_check_authorization(request_rec *r,
|
|
Packit |
90a5c9 |
const char *require_args,
|
|
Packit |
90a5c9 |
const void *parsed_require_args)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
char *reason = NULL;
|
|
Packit |
90a5c9 |
apr_status_t status = 0;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
#if !APR_HAS_USER
|
|
Packit |
90a5c9 |
reason = "'Require file-owner' is not supported on this platform.";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01632)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
#else /* APR_HAS_USER */
|
|
Packit |
90a5c9 |
char *owner = NULL;
|
|
Packit |
90a5c9 |
apr_finfo_t finfo;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->user) {
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED_NO_USER;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->filename) {
|
|
Packit |
90a5c9 |
reason = "no filename available";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01633)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
|
|
Packit |
90a5c9 |
if (status != APR_SUCCESS) {
|
|
Packit |
90a5c9 |
reason = apr_pstrcat(r->pool, "could not stat file ",
|
|
Packit |
90a5c9 |
r->filename, NULL);
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01634)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!(finfo.valid & APR_FINFO_USER)) {
|
|
Packit |
90a5c9 |
reason = "no file owner information available";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01635)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
status = apr_uid_name_get(&owner, finfo.user, r->pool);
|
|
Packit |
90a5c9 |
if (status != APR_SUCCESS || !owner) {
|
|
Packit |
90a5c9 |
reason = "could not get name of file owner";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01636)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (strcmp(owner, r->user)) {
|
|
Packit |
90a5c9 |
reason = apr_psprintf(r->pool, "file owner %s does not match.",
|
|
Packit |
90a5c9 |
owner);
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01637)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return AUTHZ_DENIED;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
/* this user is authorized */
|
|
Packit |
90a5c9 |
return AUTHZ_GRANTED;
|
|
Packit |
90a5c9 |
#endif /* APR_HAS_USER */
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static char *authz_owner_get_file_group(request_rec *r)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
/* file-group only figures out the file's group and lets
|
|
Packit |
90a5c9 |
* other modules do the actual authorization (against a group file/db).
|
|
Packit |
90a5c9 |
* Thus, these modules have to hook themselves after
|
|
Packit |
90a5c9 |
* mod_authz_owner and of course recognize 'file-group', too.
|
|
Packit |
90a5c9 |
*/
|
|
Packit |
90a5c9 |
#if !APR_HAS_USER
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
#else /* APR_HAS_USER */
|
|
Packit |
90a5c9 |
char *reason = NULL;
|
|
Packit |
90a5c9 |
char *group = NULL;
|
|
Packit |
90a5c9 |
apr_finfo_t finfo;
|
|
Packit |
90a5c9 |
apr_status_t status = 0;
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!r->filename) {
|
|
Packit |
90a5c9 |
reason = "no filename available";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01638)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
|
|
Packit |
90a5c9 |
if (status != APR_SUCCESS) {
|
|
Packit |
90a5c9 |
reason = apr_pstrcat(r->pool, "could not stat file ",
|
|
Packit |
90a5c9 |
r->filename, NULL);
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01639)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
if (!(finfo.valid & APR_FINFO_GROUP)) {
|
|
Packit |
90a5c9 |
reason = "no file group information available";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01640)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
status = apr_gid_name_get(&group, finfo.group, r->pool);
|
|
Packit |
90a5c9 |
if (status != APR_SUCCESS || !group) {
|
|
Packit |
90a5c9 |
reason = "could not get name of file group";
|
|
Packit |
90a5c9 |
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01641)
|
|
Packit |
90a5c9 |
"Authorization of user %s to access %s failed, reason: %s",
|
|
Packit |
90a5c9 |
r->user, r->uri, reason ? reason : "unknown");
|
|
Packit |
90a5c9 |
return NULL;
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
return group;
|
|
Packit |
90a5c9 |
#endif /* APR_HAS_USER */
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static const authz_provider authz_fileowner_provider =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
&fileowner_check_authorization,
|
|
Packit |
90a5c9 |
NULL,
|
|
Packit |
90a5c9 |
};
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
static void register_hooks(apr_pool_t *p)
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
APR_REGISTER_OPTIONAL_FN(authz_owner_get_file_group);
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "file-owner",
|
|
Packit |
90a5c9 |
AUTHZ_PROVIDER_VERSION,
|
|
Packit |
90a5c9 |
&authz_fileowner_provider,
|
|
Packit |
90a5c9 |
AP_AUTH_INTERNAL_PER_CONF);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
AP_DECLARE_MODULE(authz_owner) =
|
|
Packit |
90a5c9 |
{
|
|
Packit |
90a5c9 |
STANDARD20_MODULE_STUFF,
|
|
Packit |
90a5c9 |
NULL, /* dir config creater */
|
|
Packit |
90a5c9 |
NULL, /* dir merger --- default is to override */
|
|
Packit |
90a5c9 |
NULL, /* server config */
|
|
Packit |
90a5c9 |
NULL, /* merge server config */
|
|
Packit |
90a5c9 |
authz_owner_cmds, /* command apr_table_t */
|
|
Packit |
90a5c9 |
register_hooks /* register hooks */
|
|
Packit |
90a5c9 |
};
|