Hello,
I refined my mail from 05/01/2017 and now I think there is a bug in the mod_authz_svn Module. This may allow users to see content for which they aren't allowed for.
For the general setup, I have an Apache 2.4, Subversion 1.9 modules and mod_lua activated for authentification. The LUA-hook works for none-SVN-Locations, my user is authorized. The httpd.conf and LUA script is attached below.
Case 1:
- The accessfile configures my user to have access on repo-root:
[repo:/]
myuser = rw
- The client (curl) shows me the repo-root but none of the files below.
- The error_log shows, that my user got authorized on root:
[Fri Jan 19 21:20:58.735108 2018] [authz_svn:info] [pid 3465:tid 140589093869312] [client ::1:59812] Access granted: 'myuser' GET (null)
- But I'm not allowed to see a file below:
[Fri Jan 19 21:20:58.735706 2018] [authz_svn:info] [pid 3465:tid 140589093869312] [client ::1:59812] Access denied: - GET repo:/muhmiau.txt
Case 2:
- The accessfile configures everybody to have access on repo-root:
[repo:/]
* = rw
- The client (curl) shows me a repo-root and the files below.
- The error-log tells, that my user is allowed to see the root and the file:
[Fri Jan 19 21:26:03.803831 2018] [authz_svn:info] [pid 3425:tid 140589085476608] [client ::1:59814] Access granted: 'myuser' GET (null)
[Fri Jan 19 21:26:03.806508 2018] [authz_svn:info] [pid 3425:tid 140589085476608] [client ::1:59814] Access granted: 'myuser' GET repo:/muhmiau.txt
Case 3:
- Now I have an accessfile, which allows everyone to rw, *but not my user*:
[repo:/]
* = rw
myuser =
- The client (curl) shows me the full repo content
- The error_log tells, that my user is allowed to see the root and the file:
[Fri Jan 19 21:29:57.383442 2018] [authz_svn:info] [pid 3426:tid 140589085476608] [client ::1:59816] Access granted: 'myuser' GET (null)
[Fri Jan 19 21:29:57.385402 2018] [authz_svn:info] [pid 3426:tid 140589085476608] [client ::1:59816] Access granted: - GET repo:/muhmiau.txt
That raised several questions:
1. Why is my user not "known" for a special file in Case 1, when it generally works? (Case 2)
2. Why does the restriction of a right (Case 3) does not lead to a restricted view? As you can see in the log, the user is not known (like Case 1).
For me, especially Case 3 looks suspicious.
Any help would be appreciated.
Thanks and Kind Regards,
Stefan
PS - Configuration
So this is my repo-configuration:
<Location /svn/repo>
DAV svn
SVNPath "/.../repo"
LuaHookCheckUserID "/etc/apache2/lua/hook.lua" authcheck_hook
AuthzSVNAccessFile "/.../repo.access"
Require valid-user
</Location>
As you can see, the authorization is done by the Lua-script. The hook.lua accepts every request by setting a "myuser" on the request-entity:
require 'apache2'
function authcheck_hook(r)
r.user = "myuser"
return apache2.OK
end
In every case, I call the webserver with a simple curl-Command: "curl http://localhost:4402/svn/repo"
-----Ursprüngliche Nachricht-----
Von: Branko Čibej [mailto:brane_at_apache.org]
Gesendet: Freitag, 5. Januar 2018 16:30
An: users_at_subversion.apache.org
Betreff: Re: Apache SVN module and LUA authentification hook
On 05.01.2018 16:00, Stefan Hauffe wrote:
>
> Hello community,
>
>
>
> I have an Apache 2.4 which shall deliver SVN repos by the
> http-Protocol. I’m experienced with standard Basic Authentification
> and path-based authorization for the Subversion repo.
>
>
>
> In my new application, the authentication will be done by a LUA-script
> using the directive “LuaHookCheckUserID”. Generally, the LUA script
> works as expected (used this documentation
> <https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luahookcheckuserid>).
>
>
>
> Unfortunately it seems, that the authorization file (Subversion
> Accessfile) is not read out correctly. I see an empty repo with my
> (authorized) user.
>
>
>
> From the logfile (Debug/Error) I see, that LUA granted my user. But
> also a “Access denied” message on a SVN file path:
>
>
>
> [lua:debug] [pid 6872:tid ] @/path/to/hook.lua(29): [client ip]
> Accepted user myuser
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access granted: 'myuser'
> GET (null)
>
> [authz_svn:debug] [pid 6872:tid ]
> subversion/mod_authz_svn/mod_authz_svn.c(450): [client ip] Path to
> authz file is /path/to/accessfile
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access denied: - GET
> repo002:/file.txt
>
>
>
> My simplest working LUA-Scripts goes here:
>
>
>
> require 'apache2'
>
> function authcheck_hook(r)
>
> r.user = "myuser"
>
> r:debug("Accepted user " .. r.user)
>
> return apache2.OK
>
> end
>
Are you really changing the username stored in the request in your authentication script? That could certainly be the problem, AFAIK there's no guarantee that that change gets propagated back to mod_authz_svn.
(It's also a horribly wrong approach to authentication.)
-- Brane
Received on 2018-01-22 12:39:40 CET