modules/aaa/mod_authz_owner.c

	mod_authz_owner.c revision b6b9713c05233c99a1df07b882f985f1474f891d
0c04407550130c0ea040b5675f2c214426b27718fuankg/* Licensed to the Apache Software Foundation (ASF) under one or more
0c04407550130c0ea040b5675f2c214426b27718fuankg * contributor license agreements.  See the NOTICE file distributed with
0c04407550130c0ea040b5675f2c214426b27718fuankg * this work for additional information regarding copyright ownership.
0c04407550130c0ea040b5675f2c214426b27718fuankg * The ASF licenses this file to You under the Apache License, Version 2.0
0c04407550130c0ea040b5675f2c214426b27718fuankg * (the "License"); you may not use this file except in compliance with
0c04407550130c0ea040b5675f2c214426b27718fuankg * the License.  You may obtain a copy of the License at
0c04407550130c0ea040b5675f2c214426b27718fuankg *
0c04407550130c0ea040b5675f2c214426b27718fuankg *     http://www.apache.org/licenses/LICENSE-2.0
0c04407550130c0ea040b5675f2c214426b27718fuankg *
0c04407550130c0ea040b5675f2c214426b27718fuankg * Unless required by applicable law or agreed to in writing, software
0662ed52e814f8f08ef0e09956413a792584eddffuankg * distributed under the License is distributed on an "AS IS" BASIS,
0c04407550130c0ea040b5675f2c214426b27718fuankg * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
0c04407550130c0ea040b5675f2c214426b27718fuankg * See the License for the specific language governing permissions and
0c04407550130c0ea040b5675f2c214426b27718fuankg * limitations under the License.
0c04407550130c0ea040b5675f2c214426b27718fuankg */
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "apr_strings.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "apr_file_info.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "apr_user.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg
44f575c8cb19a7a5cd61664a7848be6bc197df02fuankg#include "ap_config.h"
44f575c8cb19a7a5cd61664a7848be6bc197df02fuankg#include "ap_provider.h"
16b55a35cff91315d261d1baa776138af465c4e4fuankg#include "httpd.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "http_config.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "http_core.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "http_log.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "http_protocol.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "http_request.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg#include "mod_auth.h"
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgAPR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r));
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgstatic const command_rec authz_owner_cmds[] =
0c04407550130c0ea040b5675f2c214426b27718fuankg{
0c04407550130c0ea040b5675f2c214426b27718fuankg    {NULL}
0c04407550130c0ea040b5675f2c214426b27718fuankg};
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgmodule AP_MODULE_DECLARE_DATA authz_owner_module;
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgstatic authz_status fileowner_check_authorization(request_rec *r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                                             const char *require_args)
0c04407550130c0ea040b5675f2c214426b27718fuankg{
0c04407550130c0ea040b5675f2c214426b27718fuankg    char *reason = NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    apr_status_t status = 0;
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg#if !APR_HAS_USER
0c04407550130c0ea040b5675f2c214426b27718fuankg    reason = "'Require file-owner' is not supported on this platform.";
0c04407550130c0ea040b5675f2c214426b27718fuankg    ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                  "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                  r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg    return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg#else  /* APR_HAS_USER */
0c04407550130c0ea040b5675f2c214426b27718fuankg    char *owner = NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    apr_finfo_t finfo;
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (!r->user) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg            "access to %s failed, reason: no authenticated user", r->uri);
0c04407550130c0ea040b5675f2c214426b27718fuankg        return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (!r->filename) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = "no filename available";
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (status != APR_SUCCESS) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = apr_pstrcat(r->pool, "could not stat file ",
0c04407550130c0ea040b5675f2c214426b27718fuankg                                r->filename, NULL);
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (!(finfo.valid & APR_FINFO_USER)) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = "no file owner information available";
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    status = apr_uid_name_get(&owner, finfo.user, r->pool);
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (status != APR_SUCCESS || !owner) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = "could not get name of file owner";
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
ea1b70b7a14558cc058b9a1fc31d78afb093f529fuankg        return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (strcmp(owner, r->user)) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = apr_psprintf(r->pool, "file owner %s does not match.",
0c04407550130c0ea040b5675f2c214426b27718fuankg                                owner);
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return AUTHZ_DENIED;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    /* this user is authorized */
0c04407550130c0ea040b5675f2c214426b27718fuankg    return AUTHZ_GRANTED;
0c04407550130c0ea040b5675f2c214426b27718fuankg#endif /* APR_HAS_USER */
0c04407550130c0ea040b5675f2c214426b27718fuankg}
0662ed52e814f8f08ef0e09956413a792584eddffuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgstatic char *authz_owner_get_file_group(request_rec *r)
0c04407550130c0ea040b5675f2c214426b27718fuankg{
0c04407550130c0ea040b5675f2c214426b27718fuankg    char *reason = NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    /* file-group only figures out the file's group and lets
0c04407550130c0ea040b5675f2c214426b27718fuankg    * other modules do the actual authorization (against a group file/db).
0c04407550130c0ea040b5675f2c214426b27718fuankg    * Thus, these modules have to hook themselves after
0c04407550130c0ea040b5675f2c214426b27718fuankg    * mod_authz_owner and of course recognize 'file-group', too.
0c04407550130c0ea040b5675f2c214426b27718fuankg    */
0c04407550130c0ea040b5675f2c214426b27718fuankg#if !APR_HAS_USER
0c04407550130c0ea040b5675f2c214426b27718fuankg    return NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg#else  /* APR_HAS_USER */
0662ed52e814f8f08ef0e09956413a792584eddffuankg    char *group = NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    apr_finfo_t finfo;
0c04407550130c0ea040b5675f2c214426b27718fuankg    apr_status_t status = 0;
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (!r->filename) {
0662ed52e814f8f08ef0e09956413a792584eddffuankg        reason = "no filename available";
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (status != APR_SUCCESS) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = apr_pstrcat(r->pool, "could not stat file ",
0662ed52e814f8f08ef0e09956413a792584eddffuankg                                r->filename, NULL);
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (!(finfo.valid & APR_FINFO_GROUP)) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = "no file group information available";
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    status = apr_gid_name_get(&group, finfo.group, r->pool);
0c04407550130c0ea040b5675f2c214426b27718fuankg    if (status != APR_SUCCESS || !group) {
0c04407550130c0ea040b5675f2c214426b27718fuankg        reason = "could not get name of file group";
0c04407550130c0ea040b5675f2c214426b27718fuankg        ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
0c04407550130c0ea040b5675f2c214426b27718fuankg                      "Authorization of user %s to access %s failed, reason: %s",
0c04407550130c0ea040b5675f2c214426b27718fuankg                      r->user, r->uri, reason ? reason : "unknown");
0c04407550130c0ea040b5675f2c214426b27718fuankg        return NULL;
0c04407550130c0ea040b5675f2c214426b27718fuankg    }
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    return group;
0c04407550130c0ea040b5675f2c214426b27718fuankg#endif /* APR_HAS_USER */
0c04407550130c0ea040b5675f2c214426b27718fuankg}
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgstatic const authz_provider authz_fileowner_provider =
0c04407550130c0ea040b5675f2c214426b27718fuankg{
0c04407550130c0ea040b5675f2c214426b27718fuankg    &fileowner_check_authorization,
0c04407550130c0ea040b5675f2c214426b27718fuankg};
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgstatic void register_hooks(apr_pool_t *p)
0c04407550130c0ea040b5675f2c214426b27718fuankg{
0c04407550130c0ea040b5675f2c214426b27718fuankg    APR_REGISTER_OPTIONAL_FN(authz_owner_get_file_group);
cf7ca2f9eaa6523fefcccba4287b91637391fb51fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankg    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "file-owner",
0c04407550130c0ea040b5675f2c214426b27718fuankg                              AUTHZ_PROVIDER_VERSION,
0c04407550130c0ea040b5675f2c214426b27718fuankg                              &authz_fileowner_provider,
0c04407550130c0ea040b5675f2c214426b27718fuankg                              AP_AUTH_INTERNAL_PER_CONF);
0c04407550130c0ea040b5675f2c214426b27718fuankg}
0c04407550130c0ea040b5675f2c214426b27718fuankg
0c04407550130c0ea040b5675f2c214426b27718fuankgmodule AP_MODULE_DECLARE_DATA authz_owner_module =
0c04407550130c0ea040b5675f2c214426b27718fuankg{
0c04407550130c0ea040b5675f2c214426b27718fuankg    STANDARD20_MODULE_STUFF,
0c04407550130c0ea040b5675f2c214426b27718fuankg    NULL,                          /* dir config creater */
0c04407550130c0ea040b5675f2c214426b27718fuankg    NULL,                          /* dir merger --- default is to override */
0c04407550130c0ea040b5675f2c214426b27718fuankg    NULL,                          /* server config */
0c04407550130c0ea040b5675f2c214426b27718fuankg    NULL,                          /* merge server config */
0c04407550130c0ea040b5675f2c214426b27718fuankg    authz_owner_cmds,              /* command apr_table_t */
0c04407550130c0ea040b5675f2c214426b27718fuankg    register_hooks                 /* register hooks */
0c04407550130c0ea040b5675f2c214426b27718fuankg};
0c04407550130c0ea040b5675f2c214426b27718fuankg