You are here: Foswiki>Tasks Web>Item10280 (12 Jul 2015, GeorgeClark)Edit Attach

Item10280: ApacheConfigGenerator does not enforce the Require user protection for the bin/configure command

Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
Applies To: Web Site
Component: ApacheConfigGenerator
Reported By: RaulFRodriguez
Waiting For:
Last Change By: GeorgeClark
After Filippo's message to the discuss list, I realised why I was sometimes sharing the same problem, which looks like a bug in the ApacheConfigGenerator page.

1. How to reproduce:

Try this simple configuration settings, with only a required user "adminuser" for protecting the configure script (no IP address), and clicking "OR", instead of "AND" in the section "Protect the bin/configure command":

The FilesMatch block looks like that:

    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Require user adminuser
        Satisfy Any
        ErrorDocument 401 default

With these settings and Apache 2, the configure script is accessible by anybody.

I experimented commenting out "Satisfy Any", and noticed that it is enough, in my case, to enforce the required user authentication. There is no "Any" other condition to satisfy as defined in the block. The parent block though has:

    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

so I guess that's why the authentication is not performed, since "Allow from all" is there, and "Satisfy Any" is permitted.

2. Problems in ApacheConfigGenerator

The source code of the generator contains this:

    <FilesMatch "^(configure)$">
        SetHandler cgi-script%IF{ "$ALLOWCONF != ''" then="
        Order Deny,Allow
        Deny from all 
        Allow from %URLPARAM{allowconf}%"}%
        %IF{ "$REQUIRECONF != ''" then="Require user %URLPARAM{requireconf}%"}%
        Satisfy %IF{ "$REQANDOR='and'" then="All" else="Any" }%
        ErrorDocument 401 default

A "Satisfy All" would also restrict the access. The "Satisfy All" is there if you leave the selection to "AND" there ApacheConfigGenerator#Protect_the_bin_configure_comman instead of using "OR".

When users click "OR" (instead of "AND", which is normally selected by default) when they generate the Apache configuration with only one requirement (user) for protecting the configure script, they get "Satisfy Any", instead of "Satisfy All".

In either cases, it does not make much sense to specify "AND" or "OR", if you only have one condition (either user, or IP address). So that's a strange way to write the Apache directives, IMHO.

3. Suggested corrections

The code should probably be corrected:

  • to include "Order Deny,Allow" and "Deny from all" all the time, unless $ALLOWCONF and $REQUIRECONF are both empty (in which case, the FilesMatch block is useless anyway),

  • and the "Satisfy" line used only if $ALLOWCONF and $REQUIRECONF are both non empty.

Also, in earlier versions of the generator, the generator was providing, in the generated comments, a link to which contains useful information, and which is not there anymore. I suggest to put it back there.

Finally, in the HTML interface the "OR" "AND" radio buttons make sense only if there are values in both the fields.

-- RaulFRodriguez - 24 Jan 2011

Setting to No Action. Foswiki 2.0 doesn't need to protect configure. It's handled by core. Also, ACG is a wiki topic. no need for tasks. Just edit directly.

-- GeorgeClark - 12 Jul 2015

ItemTemplate edit

Summary ApacheConfigGenerator does not enforce the Require user protection for the bin/configure command
ReportedBy RaulFRodriguez
SVN Range
AppliesTo Web Site
Component ApacheConfigGenerator
Priority Normal
CurrentState No Action Required
TargetRelease n/a
ReleasedIn n/a
Topic revision: r3 - 12 Jul 2015, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy