summaryrefslogtreecommitdiffstats
path: root/modules/aaa/mod_authz_owner.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-07 02:04:06 +0000
commit5dff2d61cc1c27747ee398e04d8e02843aabb1f8 (patch)
treea67c336b406c8227bac912beb74a1ad3cdc55100 /modules/aaa/mod_authz_owner.c
parentInitial commit. (diff)
downloadapache2-upstream.tar.xz
apache2-upstream.zip
Adding upstream version 2.4.38.upstream/2.4.38upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'modules/aaa/mod_authz_owner.c')
-rw-r--r--modules/aaa/mod_authz_owner.c189
1 files changed, 189 insertions, 0 deletions
diff --git a/modules/aaa/mod_authz_owner.c b/modules/aaa/mod_authz_owner.c
new file mode 100644
index 0000000..4fd0b2a
--- /dev/null
+++ b/modules/aaa/mod_authz_owner.c
@@ -0,0 +1,189 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "apr_strings.h"
+#include "apr_file_info.h"
+#include "apr_user.h"
+
+#include "ap_config.h"
+#include "ap_provider.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_core.h"
+#include "http_log.h"
+#include "http_protocol.h"
+#include "http_request.h"
+
+#include "mod_auth.h"
+#include "mod_authz_owner.h"
+
+static const command_rec authz_owner_cmds[] =
+{
+ {NULL}
+};
+
+module AP_MODULE_DECLARE_DATA authz_owner_module;
+
+static authz_status fileowner_check_authorization(request_rec *r,
+ const char *require_args,
+ const void *parsed_require_args)
+{
+ char *reason = NULL;
+ apr_status_t status = 0;
+
+#if !APR_HAS_USER
+ reason = "'Require file-owner' is not supported on this platform.";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01632)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return AUTHZ_DENIED;
+#else /* APR_HAS_USER */
+ char *owner = NULL;
+ apr_finfo_t finfo;
+
+ if (!r->user) {
+ return AUTHZ_DENIED_NO_USER;
+ }
+
+ if (!r->filename) {
+ reason = "no filename available";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01633)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return AUTHZ_DENIED;
+ }
+
+ status = apr_stat(&finfo, r->filename, APR_FINFO_USER, r->pool);
+ if (status != APR_SUCCESS) {
+ reason = apr_pstrcat(r->pool, "could not stat file ",
+ r->filename, NULL);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01634)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return AUTHZ_DENIED;
+ }
+
+ if (!(finfo.valid & APR_FINFO_USER)) {
+ reason = "no file owner information available";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01635)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return AUTHZ_DENIED;
+ }
+
+ status = apr_uid_name_get(&owner, finfo.user, r->pool);
+ if (status != APR_SUCCESS || !owner) {
+ reason = "could not get name of file owner";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01636)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return AUTHZ_DENIED;
+ }
+
+ if (strcmp(owner, r->user)) {
+ reason = apr_psprintf(r->pool, "file owner %s does not match.",
+ owner);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01637)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return AUTHZ_DENIED;
+ }
+
+ /* this user is authorized */
+ return AUTHZ_GRANTED;
+#endif /* APR_HAS_USER */
+}
+
+static char *authz_owner_get_file_group(request_rec *r)
+{
+ /* file-group only figures out the file's group and lets
+ * other modules do the actual authorization (against a group file/db).
+ * Thus, these modules have to hook themselves after
+ * mod_authz_owner and of course recognize 'file-group', too.
+ */
+#if !APR_HAS_USER
+ return NULL;
+#else /* APR_HAS_USER */
+ char *reason = NULL;
+ char *group = NULL;
+ apr_finfo_t finfo;
+ apr_status_t status = 0;
+
+ if (!r->filename) {
+ reason = "no filename available";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01638)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return NULL;
+ }
+
+ status = apr_stat(&finfo, r->filename, APR_FINFO_GROUP, r->pool);
+ if (status != APR_SUCCESS) {
+ reason = apr_pstrcat(r->pool, "could not stat file ",
+ r->filename, NULL);
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01639)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return NULL;
+ }
+
+ if (!(finfo.valid & APR_FINFO_GROUP)) {
+ reason = "no file group information available";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01640)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return NULL;
+ }
+
+ status = apr_gid_name_get(&group, finfo.group, r->pool);
+ if (status != APR_SUCCESS || !group) {
+ reason = "could not get name of file group";
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(01641)
+ "Authorization of user %s to access %s failed, reason: %s",
+ r->user, r->uri, reason ? reason : "unknown");
+ return NULL;
+ }
+
+ return group;
+#endif /* APR_HAS_USER */
+}
+
+static const authz_provider authz_fileowner_provider =
+{
+ &fileowner_check_authorization,
+ NULL,
+};
+
+static void register_hooks(apr_pool_t *p)
+{
+ APR_REGISTER_OPTIONAL_FN(authz_owner_get_file_group);
+
+ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "file-owner",
+ AUTHZ_PROVIDER_VERSION,
+ &authz_fileowner_provider,
+ AP_AUTH_INTERNAL_PER_CONF);
+}
+
+AP_DECLARE_MODULE(authz_owner) =
+{
+ STANDARD20_MODULE_STUFF,
+ NULL, /* dir config creater */
+ NULL, /* dir merger --- default is to override */
+ NULL, /* server config */
+ NULL, /* merge server config */
+ authz_owner_cmds, /* command apr_table_t */
+ register_hooks /* register hooks */
+};