Mod authz core c

Mod authz core c

I have an .htaccess with the following directive:

On starting Apache through MAMP I get the following error in my apache logs:

My Apache version is 2.4.23, MAMP is 4.1, but it appears that mod_authz_core is not an included module with MAMP. If this is the cause of the error above, how do I go about installing the mod_authz_core module?

UPDATE: Turns out I was reading the wrong Apache version for MAMP 4.1. It is 2.2xx which obviously doesn’t support mod_authz_core. After struggling to find a way to upgrade the Apache that comes with MAMP, I’ve given up and configured my own "MAMP" using Sierra’s prepackaged Apache and homebrew for installing PHP.

Description: Core Authorization
Status: Base
Module Identifier: authz_core_module
Source File: mod_authz_core.c
Compatibility: Available in Apache HTTPD 2.3 and later

Summary

This module prov >mod_authz_core prov >mod_authn_file and an authorization module such as mod_authz_user . It also allows for advanced logic to be applied to the authorization processing.

Topics

  • Authorization Containers
  • The Require Directives
  • Creating Authorization Prov />

Bugfix checklist

See also

Authorization Containers

The authorization container directives , and may be combined with each other and with the Require directive to express complex authorization logic.

The example below expresses the following authorization logic. In order to access the resource, the user must either be the superadmin user, or belong to both the admins group and the Administrators LDAP group and either belong to the sales group or have the LDAP dept attribute sales . Furthermore, in order to access the resource, the user must not belong to either the temps group or the LDAP group Temporary Employees .

The Require Directives

Require env

The env provider allows access to the server to be controlled based on the existence of an environment variable. When Require env env-variable is specified, then the request is allowed access if the environment variable env-variable exists. The server prov >mod_setenvif . Therefore, this directive can be used to allow access based on such factors as the clients User-Agent (browser type), Referer , or other HTTP request header fields.

In this case, browsers with a user-agent string beginning with KnockKnock/2.0 will be allowed access, and all others will be denied.

When the server looks up a path via an internal subrequest such as looking for a DirectoryIndex or generating a directory listing with mod_autoindex , per-request environment variables are not inherited in the subrequest. Additionally, SetEnvIf directives are not separately evaluated in the subrequest due to the API phases mod_setenvif takes action in.

Require all

The all provider mimics the functionality that was previously provided by the ‘Allow from all’ and ‘Deny from all’ directives. This provider can take one of two arguments which are ‘granted’ or ‘denied’. The following examples will grant or deny access to all requests.

Require method

The method prov >TraceEnable instead.

The following example will only allow GET, HEAD, POST, and OPTIONS requests:

The following example will allow GET, HEAD, POST, and OPTIONS requests without authentication, and require a valid user for all other methods:

Require expr

The expr provider allows basing authorization decisions on arbitrary expressions.

Читайте также:  Deepcool captain 120 ex обзор

The syntax is described in the ap_expr documentation. Before httpd 2.4.16, the surrounding double-quotes MUST be omitted.

Normally, the expression is evaluated before authentication. However, if the expression returns false and references the variable % , authentication will be performed and the expression will be re-evaluated.

Creating Authorization Provider Aliases

Extended authorization prov >Require directive in the same way as a base authorization provider. Besides the ability to create and alias an extended provider, it also allows the same extended authorization provider to be referenced by multiple locations.

Example

The example below creates two different ldap authorization provider aliases based on the ldap-group authorization provider. This example allows a single authorization location to check group membership within multiple ldap hosts:

AuthMerging Directive

Description: Controls the manner in which each configuration section’s authorization logic is combined with that of preceding configuration sections.
Syntax: AuthMerging Off | And | Or
Default: AuthMerging Off
Context: directory, .htaccess
Override: AuthConfig
Status: Base
Module: mod_authz_core

When authorization is enabled, it is normally inherited by each subsequent configuration section, unless a different set of authorization directives is specified. This is the default action, which corresponds to an explicit setting of AuthMerging Off .

However, there may be circumstances in which it is desirable for a configuration section’s authorization to be combined with that of its predecessor while configuration sections are being merged. Two options are available for this case, And and Or .

When a configuration section contains AuthMerging And or AuthMerging Or , its authorization logic is combined with that of the nearest predecessor (according to the overall order of configuration sections) which also contains authorization logic as if the two sections were jointly contained within a or directive, respectively.

Directive

Description: Enclose a group of directives that represent an extension of a base authorization provider and referenced by the specified alias
Syntax: baseProvider Alias Require-Parameters > .
Context: server config
Status: Base
Module: mod_authz_core

If several parameters are needed in Require-Parameters , they must be enclosed in quotation marks. Otherwise, only the first one is taken into account.

AuthzSendForb >

Description: Send ‘403 FORBIDDEN’ instead of ‘401 UNAUTHORIZED’ if authentication succeeds but authorization fails Syntax: AuthzSendForbiddenOnFailure On|Off Default: AuthzSendForbiddenOnFailure Off Context: directory, .htaccess Status: Base Module: mod_authz_core Compatibility: Available in Apache HTTPD 2.3.11 and later

If authentication succeeds but authorization fails, Apache HTTPD will respond with an HTTP response code of ‘401 UNAUTHORIZED’ by default. This usually causes browsers to display the password dialogue to the user again, which is not wanted in all situations. AuthzSendForbiddenOnFailure allows to change the response code to ‘403 FORBIDDEN’.

Security Warning

Modifying the response in case of missing authorization weakens the security of the password, because it reveals to a possible attacker, that his guessed password was right.

Require Directive

Description: Tests whether an authenticated user is authorized by an authorization provider.
Syntax: Require [not] entity-name [ entity-name ] .
Context: directory, .htaccess
Override: AuthConfig
Status: Base
Module: mod_authz_core

This directive tests whether an authenticated user is authorized according to a particular authorization prov >mod_authz_core provides the following generic authorization providers:

Читайте также:  Где датчик давления шин

Require all granted Access is allowed unconditionally. Require all denied Access is denied unconditionally. Require env env-var [ env-var ] . Access is allowed only if one of the given environment variables is set. Require method http-method [ http-method ] . Access is allowed only for the given HTTP methods. Require expr expression Access is allowed if expression evaluates to true.

Some of the allowed syntaxes prov >mod_authz_user , mod_authz_host , and mod_authz_groupfile are:

Require user userid [ userid ] . Only the named users can access the resource. Require group group-name [ group-name ] . Only users in the named groups can access the resource. Require valid-user All valid users can access the resource. Require ip 10 172.20 192.168.2 Clients in the specified IP address ranges can access the resource.

Other authorization modules that implement require options include mod_authnz_ldap , mod_authz_dbm , mod_authz_dbd , mod_authz_owner and mod_ssl .

In most cases, for a complete authentication and authorization configuration, Require must be accompanied by AuthName , AuthType and AuthBasicProvider or AuthDigestProvider directives, and directives such as AuthUserFile and AuthGroupFile (to define users and groups) in order to work correctly. Example:

Access controls which are applied in this way are effective for all methods. This is what is normally desired. If you wish to apply access controls only to specific methods, while leaving other methods unprotected, then place the Require statement into a section.

The result of the Require directive may be negated through the use of the not option. As with the other negated authorization directive , when the Require directive is negated it can only fail or return a neutral result, and therefore may never independently authorize a request.

In the following example, all users in the alpha and beta groups are authorized, except for those who are also in the reject group.

When multiple Require directives are used in a single configuration section and are not contained in another authorization directive like , they are implicitly contained within a directive. Thus the first one to authorize a user authorizes the entire request, and subsequent Require directives are ignored.

Security Warning

Exercise caution when setting authorization directives in Location sections that overlap with content served out of the filesystem. By default, these configuration sections overwrite authorization configuration in Directory , and Files sections.

The AuthMerging directive can be used to control how authorization configuration sections are merged.

See also

Directive

Description: Enclose a group of authorization directives of which none must fail and at least one must succeed for the enclosing directive to succeed.
Syntax: .
Context: directory, .htaccess
Override: AuthConfig
Status: Base
Module: mod_authz_core

and are used to enclose a group of authorization directives of which none must fail and at least one must succeed in order for the directive to succeed.

If none of the directives contained within the directive fails, and at least one succeeds, then the directive succeeds. If none succeed and none fail, then it returns a neutral result. In all other cases, it fails.

See also

Directive

Description: Enclose a group of authorization directives of which one must succeed for the enclosing directive to succeed.
Syntax: .
Context: directory, .htaccess
Override: AuthConfig
Status: Base
Module: mod_authz_core
Читайте также:  Если полностью открыть только горячий кран

and are used to enclose a group of authorization directives of which one must succeed in order for the directive to succeed.

If one or more of the directives contained within the directive succeed, then the directive succeeds. If none succeed and none fail, then it returns a neutral result. In all other cases, it fails.

See also

Directive

Description: Enclose a group of authorization directives of which none must succeed for the enclosing directive to not fail.
Syntax: .
Context: directory, .htaccess
Override: AuthConfig
Status: Base
Module: mod_authz_core

and are used to enclose a group of authorization directives of which none must succeed in order for the directive to not fail.

If one or more of the directives contained within the directive succeed, then the directive fails. In all other cases, it returns a neutral result. Thus as with the other negated authorization directive Require not , it can never independently authorize a request because it can never return a successful result. It can be used, however, to restrict the set of users who are authorized to access a resource.

See also

Comments

Copyright 2020 The Apache Software Foundation.
Licensed under the Apache License, Version 2.0.

Всем привет! Недавно я сталкнулся с проблемой, а именно у меня возникала ошибка "Каталог ядра в открытом доступе" в MODX 2.5. Разработчики CMF добавили эту проверку вроде бы с версии 2.4, она связанна с безопасностью сайта.

Дело в том, что если не исправить данную ошибку, то злоумышленник сможет украть у Вас данные к БД, ну или узнать версию MODX. Так что лучше исправить эту проблему.

Начнем с простого

Для начала, давайте начнем с самых простых вещей, которые указаны в самой ошибки. Первым делом необходимо переименовать уже имеющийся там файл в папке /core "ht.access" в ".htaccess" и очистить кэш.

Начиная с версии 2.5, содержимое ".htaccess" выглядит так:

Не помогло? Вот и мне не помогло :D, когда я пытался решить эту проблему с переносом сайта на другой хостинг.

Дело в том, что большинство хостинг компаний, используют следующую схему работы, при которой запросы к статичным файлам (в частности txt) обрабатываются с помощью Nginx, а остальные запросы передаются Apache.

Поэтому файл ".htaccess" не может использоваться для отключения доступа к статическим файлам, так как он обрабатывается только на уровне Apache. А MODX как раз-таки и проверяет файл (/core/docs/changelog.txt)

UPD. На некоторых сайтах использую

Второй метод справления ошибки "каталог ядра в открытом доступе"

Что же делать? Как решить проблему "каталог ядра в открытом доступе"? Всё очень просто, для этого нужно перенести /core за пределы публичной части сайта (public_html).

  • Переносим папку core за пределы public_html
  • Дальше необходимо в /core/config/config.inc.php изменить путь к папке /core в переменных $modx_core_path,$modx_processors_path

Также меняем путь к папке /core в файлах:

  • /config.core.php
  • /connectors/config.core.php
  • /manager/config.core.php

И вручную удаляем содержимое папки /core/cache. Саму папку cache не удаляем! Вот и всё, мы исправили проблему "каталог ядра в открытом доступе" в MODX

Если у Вас возникли вопросы, задавайте через форму ниже.

Лучший способ выразить благодарность автору — поделиться с друзьями!

Ссылка на основную публикацию
Adblock detector