From 2d2bb5c895f3033fb091cfc8900f799d065ca3c0 Mon Sep 17 00:00:00 2001 From: Micah Andersen Date: Fri, 22 Nov 2024 23:47:18 -0500 Subject: [PATCH] Version 1.2.0 (Nov 22, 2024) * Fix compatibility issues with modern unix auth services, such as sssd, due to optimizations for large directories (e.g. LDAP) removing the complete group membership list (grmem). Thanks to Joakim Tjernlund. * NOTE: builds across all platforms now *require* libbsd or the equivalent bsd-standard group function support. * macOS build support, with the latest homebrew-core libbsd update. * Added cross-platform makefiles (macOS & linux only; Windows does not have UNIX groups, so not supported). Thanks to Micah Andersen/BIMI. * GitHub Actions build testing on linux & macOS. Thanks to Micah Andersen/BIMI. * Copyright information was consolidated in CONTRIBUTORS for consistency. --- .github/workflows/build.yml | 47 +- .github/workflows/codeql-analysis.yml | 12 +- mod_authz_unixgroup/CHANGES => CHANGES | 0 .../CONTRIBUTORS => CONTRIBUTORS | 0 mod_authz_unixgroup/INSTALL => INSTALL | 0 mod_authz_unixgroup/LICENSE => LICENSE | 0 mod_authz_unixgroup/Makefile => Makefile | 0 .../Makefile.win => Makefile.win | 0 mod_authz_unixgroup/README => README | 0 README.md | 33 - .../mod_authnz_external overview.drawio | 1 - .../mod_authnz_external overview.png | Bin 31436 -> 0 bytes mod_authnz_external/AUTHENTICATORS | 307 ------ mod_authnz_external/CHANGES | 345 ------- mod_authnz_external/CONTRIBUTORS | 52 - mod_authnz_external/INSTALL | 699 ------------- mod_authnz_external/INSTALL.HARDCODE | 76 -- mod_authnz_external/Makefile | 26 - mod_authnz_external/Makefile.win | 28 - mod_authnz_external/README | 254 ----- mod_authnz_external/TODO | 18 - mod_authnz_external/UPGRADE | 115 --- mod_authnz_external/mod_authnz_external.c | 955 ------------------ mod_authnz_external/test/README | 33 - mod_authnz_external/test/test.env | 38 - mod_authnz_external/test/test.pipe | 40 - mod_authnz_external/test/test.pipe.php | 42 - mod_authnz_external/test/testgroup.env | 36 - mod_authnz_external/test/testgroup.pipe | 42 - ...authz_unixgroup.c => mod_authz_unixgroup.c | 0 30 files changed, 3 insertions(+), 3196 deletions(-) rename mod_authz_unixgroup/CHANGES => CHANGES (100%) rename mod_authz_unixgroup/CONTRIBUTORS => CONTRIBUTORS (100%) rename mod_authz_unixgroup/INSTALL => INSTALL (100%) rename mod_authz_unixgroup/LICENSE => LICENSE (100%) rename mod_authz_unixgroup/Makefile => Makefile (100%) rename mod_authz_unixgroup/Makefile.win => Makefile.win (100%) rename mod_authz_unixgroup/README => README (100%) delete mode 100644 README.md delete mode 100644 documentation/mod_authnz_external overview.drawio delete mode 100644 documentation/mod_authnz_external overview.png delete mode 100644 mod_authnz_external/AUTHENTICATORS delete mode 100644 mod_authnz_external/CHANGES delete mode 100644 mod_authnz_external/CONTRIBUTORS delete mode 100644 mod_authnz_external/INSTALL delete mode 100644 mod_authnz_external/INSTALL.HARDCODE delete mode 100644 mod_authnz_external/Makefile delete mode 100644 mod_authnz_external/Makefile.win delete mode 100644 mod_authnz_external/README delete mode 100644 mod_authnz_external/TODO delete mode 100644 mod_authnz_external/UPGRADE delete mode 100644 mod_authnz_external/mod_authnz_external.c delete mode 100644 mod_authnz_external/test/README delete mode 100755 mod_authnz_external/test/test.env delete mode 100755 mod_authnz_external/test/test.pipe delete mode 100755 mod_authnz_external/test/test.pipe.php delete mode 100755 mod_authnz_external/test/testgroup.env delete mode 100755 mod_authnz_external/test/testgroup.pipe rename mod_authz_unixgroup/mod_authz_unixgroup.c => mod_authz_unixgroup.c (100%) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0807881..7fb996c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,7 +12,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-latest, windows-latest, macOS-latest] + os: [ubuntu-latest, macOS-latest] steps: - uses: actions/checkout@v2 @@ -30,50 +30,13 @@ jobs: brew update brew install httpd libbsd - - name: make mod_authnz_external (POSIX-GCC) - if: runner.os != 'Windows' - run: make - working-directory: ./mod_authnz_external - - name: make mod_authz_unixgroup (POSIX-GCC) if: runner.os != 'Windows' run: make - working-directory: ./mod_authz_unixgroup - - - name: nmake (MSVC) - if: runner.os == 'Windows' - run: | - # find and set APACHEPATH environment variable - $env:APACHEPATH = Join-Path "C:\tools\" (Get-Item C:\tools\apache*).Name - # set it for real, GH Actions uses a new Powershell for each step - [System.Environment]::SetEnvironmentVariable('APACHEPATH',$env:APACHEPATH,'Machine') - # this 'apr_perms_set.h' header is missing from Chocolatey's Apache install - Invoke-WebRequest https://raw.githubusercontent.com/traviscross/apr/master/include/apr_perms_set.h -OutFile (Join-Path ($env:APACHEPATH) "include\apr_perms_set.h") - # call vcvars.bat to setup the environment, then call nmake to build the module - echo "call ""$((Get-VisualStudioInstance).InstallationPath)\VC\Auxiliary\Build\vcvars64.bat""" > winbuild.bat - echo "nmake -f ""$(pwd)\Makefile.win""" >> winbuild.bat - .\winbuild.bat - working-directory: ./mod_authnz_external - - - name: make install mod_authnz_external (POSIX-GCC) - if: runner.os != 'Windows' - run: sudo make install - working-directory: ./mod_authnz_external - name: make install mod_authz_unixgroup (POSIX-GCC) if: runner.os != 'Windows' run: sudo make install - working-directory: ./mod_authz_unixgroup - - - name: install to apache (windows) - if: runner.os == 'Windows' - run: | - # get APACHEPATH - $env:APACHEPATH = [System.Environment]::GetEnvironmentVariable('APACHEPATH','Machine') - # manually install the compiled module in Apache - cp mod_authnz_external.so (Join-Path ($env:APACHEPATH) "modules\mod_authnz_external.so") - echo "LoadModule authnz_external_module modules/mod_authnz_external.so" >> (Join-Path ($env:APACHEPATH) "conf\httpd.conf") - working-directory: ./mod_authnz_external - name: restart apache (ubuntu) if: runner.os == 'Linux' @@ -82,10 +45,4 @@ jobs: - name: restart apache (macos) if: runner.os == 'macOS' run: brew services restart httpd - - - name: restart apache (windows) - if: runner.os == 'Windows' - run: | - Stop-Service -Name w3svc - Set-Service Apache -StartupType Manual - Start-Service -Name Apache + \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 512e76c..e44bb58 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,16 +41,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - - name: Re-root the workspace - run: | - dir - mv mod_authnz_external .. - cd .. - rm -rf mod-auth-external - mv mod_authnz_external mod-auth-external - cd mod-auth-external - dir - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v1 @@ -74,7 +64,7 @@ jobs: # uses a compiled language - run: | - sudo apt-get install apache2 apache2-dev + sudo apt-get install apache2 apache2-dev libbsd-dev make - name: Perform CodeQL Analysis diff --git a/mod_authz_unixgroup/CHANGES b/CHANGES similarity index 100% rename from mod_authz_unixgroup/CHANGES rename to CHANGES diff --git a/mod_authz_unixgroup/CONTRIBUTORS b/CONTRIBUTORS similarity index 100% rename from mod_authz_unixgroup/CONTRIBUTORS rename to CONTRIBUTORS diff --git a/mod_authz_unixgroup/INSTALL b/INSTALL similarity index 100% rename from mod_authz_unixgroup/INSTALL rename to INSTALL diff --git a/mod_authz_unixgroup/LICENSE b/LICENSE similarity index 100% rename from mod_authz_unixgroup/LICENSE rename to LICENSE diff --git a/mod_authz_unixgroup/Makefile b/Makefile similarity index 100% rename from mod_authz_unixgroup/Makefile rename to Makefile diff --git a/mod_authz_unixgroup/Makefile.win b/Makefile.win similarity index 100% rename from mod_authz_unixgroup/Makefile.win rename to Makefile.win diff --git a/mod_authz_unixgroup/README b/README similarity index 100% rename from mod_authz_unixgroup/README rename to README diff --git a/README.md b/README.md deleted file mode 100644 index b344b82..0000000 --- a/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# mod-authnz-external [![Build Status](https://github.com/phokz/mod-auth-external/actions/workflows/build.yml/badge.svg)](https://github.com/phokz/mod-auth-external/actions/workflows/build.yml) -### External Authentication Module for Apache HTTP Server - [Apache License 1.0](https://www.apache.org/licenses/LICENSE-1.0) -Previous Maintainers: Jan Wolter (http://www.unixpapa.com), Tyler Allison (allison@nas.nasa.gov) - -Original Author: Nathan Neulinger (nneul@umr.edu) - -**Mod_authnz_external is a flexible tool for building custom basic authentication systems for the [Apache HTTP Server](http://httpd.apache.org)**. "Basic Authentication" is a type of authentication built into the HTTP protocol, in which the browser automatically pops up a login box when the user requests a protected resource, and the login ids and passwords entered are checked by Apache. Mod_auth*_external allows the password checking normally done inside Apache to be done by an separate external program running outside of Apache. - -![high-level overview diagram of mod_authnz_external](/documentation/mod_authnz_external%20overview.png) - -### Support Matrix - - - - - - - -
Apache Versionmod_authnz_external Versionmod_authz_unixgroup VersionSupported?
Apache 2.4 mod_authnz_external 3.3.x mod_authz_unixgroup 1.2.x Yes
mod_authz_unixgroup 1.1.x -
Apache 2.2 mod_authnz_external 3.1.x or 3.2.x mod_authz_unixgroup 1.0.x -
Apache 2.0 mod_auth_external 2.2.x - -
Apache 1.3 mod_auth_external 2.1.x - -
- -Older versions are provided on an as-is basis in this repo's [branch list](https://github.com/phokz/mod-auth-external/branches/all). - -### Security Considerations - -Older versions of mod_auth_external would by default pass logins and passwords into the authentication module using environment variables. This is insecure on some versions of Unix where the contents of environment variables are visible on a 'ps -e' command. In more recent versions, the default is to use a pipe to pass sensitive data. This is secure on all versions of Unix, and is recommended in all installations. - -People using mod_auth*_external with pwauth to authenticate from system password databases should be aware of the [innate security risks](http://code.google.com/p/pwauth/wiki/Risks) involved in doing this. - -### mod_authz_unixgroup - -This repo is also the home of mod_authz_unixgroup, a unix group access control module for the [Apache HTTP Server](http://httpd.apache.org). - -Source is available in the [mod_authz_unixgroup subfolder](https://github.com/phokz/mod-auth-external/tree/master/mod_authz_unixgroup), and releases can be found tagged with the "mod_authz_unixgroup-" prefix [here](https://github.com/phokz/mod-auth-external/tags). diff --git a/documentation/mod_authnz_external overview.drawio b/documentation/mod_authnz_external overview.drawio deleted file mode 100644 index 6182c0c..0000000 --- a/documentation/mod_authnz_external overview.drawio +++ /dev/null @@ -1 +0,0 @@ -7Vpdb+I4FP01PBY5DoHksS2dHWlnJFatNB8vo5AYsDbEWccU6K9fO3E+bIcSmACdUh7a+Ma+ju+5Pj520rPvl5u/qJ8svpIQRT0Iwk3PHvcgtIA75P+EZZtbXCANc4pDWakyPOIXVLSU1hUOUapUZIREDCeqMSBxjAKm2HxKyVqtNiOR2mviz5FheAz8yLR+wyFb5NYRBJX9M8Lzhex5AOSNpV/UlYZ04YdkXTPZDz37nhLC8qvl5h5FInZFWPJ2n3bcLZ+Lopi1afBsJd5PLw3+Sb9++Tv472m5dW9vpJdnP1rJ8cqHZdsiACgOb0UceSkmMTfehX66QMKrxQsLtozkZd4UhUZAq0e0yoHzhEFkiRjd8irrKrKODNeiFtTCRlHkM/ysuvclwPPSXdnDhGDeMQQyGTk4eROZirYHVBcpWdEAyVb1UO5xZGl+mE/niBl++EVt1JUpA+oA0OA1gTZwOwJNd3Rm0GwDtG9omiL6jCg3TygJUJoaODK0YSpeMxxF9yQitILWj/A85sWAI8a92XfcJ8Ocwm7ljSUOQ+Hxbr3ADD0mfiDcrzlhcxslqzjMMgPwUsoo+RcVHfSgDbJfmSjCNdocmioFBCoCBTPWEskaNmSSDXYnjQLToZgMGibSMBIBn/KLOctGnRtWhYEDgmjsR8UN3vGqVtlfipjG0zSpNeZ1Sof+io9Vq5dcBfoOfGPwOwb8tzw4C8Rtn5+eJqGBR1MAa+Dsjp4OCSPJSWaU1zKk0D1VTIdGTJck/CWSPn75Vc2drgIb+VMUTUiKGSaNk+CLVqGcDHunTWcYDbV1x24AadAE0uBUII0MkJJF0kcbkfklN2XMlfIe04DihHHmQeU9yXYaiiqXHI1pF1RjaTG3GmIOG2I+PFXIXSPkUy7IyuWGGkvIHx1+V2f6S4ffMzN+na/EbzeIulpqIvezBrGYRC03HkHkpykO1JDxwdPtdxnerPBDFPrQKcrjTf3ueFuUNph9L5zw6x81e9VEFIoWvZY7G/782RbilZFDuazle4R9zHqx/S3QWE9f5VtvlZwdqXemvZLVdCyhSWZf6GWQz2GA4xkR8Ig/lcgApa7WZbmetDxHMqGg5mp7ZU1Ril/8aeZPpF4iIpPFyrnrOeNCqNwRGiJ6EF/IYy3puwerc6cqi1+ZrDvZ5Qb0wciCneTdUMzeer7cDPqO6oTMZik6Ta6YG+vjScmqk5K1h5EaIJVbsg6ZZ9SSeHKGuhTzOMBVmUeXrn8M8zQeCSjsQRFb0TiLWbriKg1+Qjy3aDZXQ3SdXGO/yjWgbwFLZQjr99LuDLRiCvZr0TpuS8pxL6t1oEoUxzKOY2uMc+ZzYcvcmnxonUP5Z0cqdql1Tk85sMvt1UFKpuAbUOeb/sh5lXLOIn/achG8KBk5cNT3hhofecfxkVguPRdUP5XnbDDsA8erfprQPvWrx/07sw99tGNmvyt9VHDTb5HVwTKnpDdB6XzPocgq27X38ZwoTRDFfPQiiTqXTl5LuvIuKp20w3F75PQLljlYPWnv9Gx4XvUEm3b/H+rpMHaC70I9Ne3cjySkjnTQcWKsQz5qS0fwonzkWIZ6sp1j1ZN2BG5bo/PykflNwYc+2s9Ag/enj8wPIcZohmP0IBed26a3j+/rgx9PnYvl66j6C0yrgVd0DdHZC0xoHupdOyiw6WuU84JiHoC9RVB2L/NnheuEc4gXq6/Rcx6sPum3H/4H \ No newline at end of file diff --git a/documentation/mod_authnz_external overview.png b/documentation/mod_authnz_external overview.png deleted file mode 100644 index af27fe72774ccefb405f1d0a84c5172a45dd09da..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 31436 zcma%i2UJtr)-DMhM4AYK(gl^?I|K-X-XRo0TIdO(htProVxuaG1tX#;y@PZ?0RbTv zdIzOQ?-eGEf&=|A z;1)bb`@4I4c%$6^dM7O@EhQ!?BPOL_B`tMcMpITAe8@v1blHjq77Ptd1~g z`(Nyo(+=@5yW$z{i;)fU*9^J>x0LnyYY>bJSizs^%>YNm0QJX%DA-`#UC&Ev>C5Vx zNlKY%*~!8E^?ZXYrQP+Aei#E?mtYeu#ZZ4aO}ikts}9o5&05}2$-@-PF0JLN?`DbC z)ONS_Qg8u3jgLQkLcoWdnU9>bWT087pB(t98(^Rq6pGb1x3H4b5A&5V(+hR;4A$3F zkTU~qb?ohfU2U~BP26O$aHNZGxS6TGt&NeTwUn2&skIB%+Fsv62d<3@Ft*gf`DhxV zrS))z;Wh!mCf=qN(&$icyqvBVN)xXbZe#(53k%nEl{2xk&@!-9GFCLgd!cZ0nx>W} zSQ|iywV$26q^zC0udS7tJsdBifblZYRtx}SddcbPW9)U2W(Lw28CN$WAbMIx{#b7* z7Z0r<19v$yqc9)`T9&R#;1gU{p|T3nXgPPJQYhBI9b+aHXrSm8pl9zMYT1WVpW`-b+W<*W1F!UC}!* z&@j-@6mEj@)(y7Ow(!&QH3me72Ze;X`GuL8S=zc|;9dwg%GlgI9AV`vi?T4a_YSnv zv(a+HBHeW~!);uptWD)`_6R>fA{uOwF2-By_#Rw3Ho;N`)>ut&>#r$ksww4ZWgli5 zW?(QqP2-kC?dcn*w4co z>w}QQTVhR6_EMJq9$-3eehQ5+;DH|(&cZ8LJn=hDN8)<2VQINB7lXegE)IUBz zHpbRg*4~B)OBWN+Kug=mCII0E*9*Z|A>HiYt~OFQX<1DdcTFA15G`wceMw_q0|Q-2 zUpH4@4_`kMXiG}D6XngyC0x&``JdB}vIbVIC7 zuwF_=a`-TLoT3y;$wo(4-ya!jZ>N9&11l&>Tey1r+3UhXT=0GL_{0*#w9B*@w9Y*rL#(_C_}D+TmW7NP7=?1kxNYjnI_E`C2IIdx8#rZl0Q07X_rf zD;gCH$LSddAUx&JSOt4)DGP5P!n%qsD0?%kuB^8{)=W1%5EE#MGSLn&39~?W8_4VE zf)@IA;WF5eFjSzMyjy_xF)Qo?;i2|&=B|=qZr<7$l$E=+F&>2qRB(fv1(?eFTN&GX z`^sCn$lHOnXodP%x}gJno1?TXeS*v_bX_H_yp52qf!>Cm$CH}-gv+?V?QP9vEZuDprhu?;AEc*in68n% zxlf>yl2HiU$iiDY)ILzs3L9dnh{YMn2TS?u_*>)fhNgDXA;xaUq~q<}Lfz09oIl3e zOwL}?Ex$zwvNa`z@pk&;9!YzG$ zFjnSnNW&m=yj*~#q(_)P2Jeg1x0esXO8H3Hn@DRR16m%`zaPmQB zA!r#uzpktvFuLITZ@c@)2!r4M!aOoMkuO_$$;f!g^x>LTIH%zT zED%weq$?QCPw=%cGx1Lo@HdSY+aqmxmTY;p-1?~1-n2TqWvFF zh!6lQ4$kpEmnf(Oq(fAhvtQCuK$HBZ0z zCnx|+A^sSIS;zo)Rb zR@j&TRbH5NoBHQOT41n~#*crd{$s&{|85B5X1@4)O&cnh!VLz&quW^0VVZ!nbFqN5 zW*t56Y97O<3gFfFa__LP5g31}&Fzyu46X<%=SqRqQg}5jRGl--QUZMKRw2uOstRd@ znl#ed#oneRMay6!ZPd_!m&e1H{$t0O9>D0JoW(VJe6ixRInKh48!qF3iHCyCKdYZE zKeQ;!eiHLs?18sqTjGnaef!A%!F`@9klo_mQr(|SiDS`jJVzS~7sLByfBZ&3o_OZE z7cR0U4inxamPBiB7_cO!khR~Z;fmL}nE?B`qX{`@tl^@`f1arlVhKYG``U`Kyh0FW z4Ao5PFPTEkN2n=-v!0|?7Mb$;kaM5SZnG^hvHRR|y!K6r|v^ka*j&6>%lT=~hjjgA_9(3h5 zxaFh29wtMTt5#Yz-syr#JZKPpWAWelVs$AvT0YUROZ41^echCx4EAV9?L!-Z7PI^< zZOb3H^mv7!XRo;WFl3yU|BKM$emCyGzET)KRH z#lB*Az<2h}NV-A_%m_@vZ0TDfTFRV=|NVlHHSFk-*nwdllHhNr)(~S!RnT!S-5fj3 z{00FRx7t!X_}!SO%HxnMda<`aQ|Z1^6Phixo#jHzBc0pBgpmTpFG3KOjx3nb4A1P` z9saVgclC>PZ#!p?^fw-8VDSa)sYA09*2=DF^}n$GMu)4HvQCkZVN%FFEy1HG=AUi? zLhED3ZtqYxp`5OEJZC$(g?>4w7%u{@Dioe576u0noGVw(BgtGXQc~b$xmWguh8Kyx zE;ul-G|C+E2(OgqU1#&K#Zn&ZL= zcAhx=BzGkC+=-cmw}*Qt$y<~Kh6_6eN?6Zft!M-ql*rAKkyn2C(?srHWF_sWd>xuC zZsPl@(^cr*imUXKF?M9X*^#DcH=DVYhdayt_To1biHaPp?D!$}%jwjVx%zhZm~6d0+_M7>8n zjVny8sVuq~+b0Pfm#>2!I#4}%zWwoaqp^*D zkqEJC)@;!>Uxc_^kBP4WUm*{Q0HoYcU5WKVEHG{w4m^!*H*f4lZp zyTajG#Wbhs56)yXHMdxDLenrCb) zh&jV2i`l{>P* zD{YteKgPec%=`Lo)0cw*}6>~C)x&2S@|r&SslkE+%OQKq*a#`G2OT1$}(+CMfe9sP<^?Id4T zKg{@4>}u~h_0oSv2XD@We*c}Z=1$l1fn=0e4w0XFM!;_{(993J*Ikez&3 z+PUX*@E9rO5@Usmr@i?iotKEu7*kR$wDt!>1w$@&;_Bj2dpL2iexY#Kin#odYIr_o z{PrVg?b#P?nnzwtd9g{a9Ofraj_I~Dps{XAeHQ{4Pn?-PQ+&VRlhu1zU2)Em+NHep zyN6MmKf2_6ate#vE+^L%hFe0^E>R69RK7x<+fK;6-0HX$LE|$}SEQQP$k-s}{FQ16 zE$FOuOg>gFR=%ytT#8hyPPN{M-J4`6PH>dH6I-+x+xF`$!^P6^d2{ahvN!#A-c|*4 z@ZQ>bDMBnnjNOT?GAReW`d`l_IOYZQj{8qww2z#%Dc`}a-EZ8knvkJVZeh-0ATP2s z9=KNEbcJj4_G+FD>r8YVJ)-aCmHoKo1m!^vcO-1FvexSp{+8U?mZBf$Dhr(~A!y3_ zx)JK={9*KSpYND^?azMfD=*J2J}mlmWo)DUH(d=z4R?@tJ&13P;iwIS9;m$qp96Y{`%-WqMN6!f_tw8)M8&Q1|DcolhIp;_LAVp)Jr}# zSbR^24ARO-8?4Ve{8M50YRHg1c+0}iv@bFl zXIAz~km)hmvVvluhaNN<;OYIT4l6yP2-Li3`Uf4|=J{AS4Jn${`@-pTipv0SF0l%x z$U{t;{|kO4)L}~)Q(&I~GD;2JEL~FqAi3wwwq4kN&^~W$+cCNqm|-~P|KHc&4R_U< zCPgOIEBF^vL;yN266?han*wzFQ^=iCS{MN5%rG(=4R3(ia~>tf_htgjevHs}W66a7 zdoN`3|K2P8AJAP^2nHGBIOG3MN2KE)!vmE3jLq))Wq`he(Bb_m;eZ(*6!=6^lpx|- zo%Q4;zw}v&heBhKqLDpdeLX6ne{U4HxkC%wF5Nb+e|ms{{}>+G9Ob3c&xZt?blD+m+awEY(uQ#dox2I) zR*Lj0SwZw?;NIvf@X!Mfi*Ek0!_$yeav)RxwO27g=6~&VjA{SAynqi?DS?HkwrwB36Q);Bl$ zt001h2K(Q8MN&TgUwf(ibFbWhl-x;Or}___ys`fn9o@4tk0_*?XE9EMojqI;8?x8XzGASMbAYkkV zaB_ub+UxX*GEgac^7z2-ooqhyJ$Sv@Gci9b<8J`}Fthqp{@?!N6ip8Ai3`NmZR*)? zOu#3<|8L%60Yl17Q<`a@v@~9gP!C3-*kEuDzMxeyRD-|@k55;OY%B$ZEIVH*Yx@7| zy_){zx|7a;?d~DTxUoFAO-8xpet-+>r4^ivofVnP+SRlv9spv|fN`=Z>IIv#KU!Nb z@{WRqiNrdP`X8Rk3V?HZo4vRPj1cU>(DNhhuR{!D0EEc#_PzO5+RmLGG}rTCWvmX> zcKb{S#yj}q_pbY>)&zz!pT0|W6<+4gBetjM*~L55c1Hyqs{At3+BSPNBvzY_8vRCV zN;}*p8l#XeVpbb=JJ}o8C^gl_ddpB<6y8f?b;v5rnDTeeLv(+Eon>S3rLKxg{nN&O z*n%lN%#@|AFe2=XNIMIeLeb1b!VYX_YvD^gwv8GZ{QKZ1x5bl(a2g1MOCitKh2Q(D z_j9xGKk|NA-MGRwAb*Z+Zb#*tCSn9l~FRnPe2}A|t?{mF-g%6sD+%&c;0Z6T9 zT|u=$*fi@dIrYg?+^EQuftze1H&-9wqq^Wl5|F5ay?~*nn4`PYCvY`WpVWh9yRFBu zj31}uZcwO_9upd>6j=pgiC}Xy17u`a)(`|JUMpkmg#SpDu}!g)Sh;6!#>YnrT}kIu zDER0v`K&hXuV`J+dd000TELXPTEA(+d@^qY!|C~Mu|stc)3=U+ z1P`nD^xO1PUajQlMO0V(FA1l5+cm7@Sjt`6M@9Y1e|THemsX!hku3<@zf)#sdx3=m z*aW=l^Hd~kQhk4^yew*ehkxe`f55`$7x5Q@8)}$J76*zY>OW&1T<5yJ)TZo9)1G$T zkgnA4i*n5GgHuvP*%7^2YVnE#$#nAqh@{Kbxd@)9;CUrv@=map;wXm~?jag?tG^4O z*BNJwT->3c2rk60@&Ef6#{dBpcK2?Tl)cFIyeOqIJ8Zl@94R)~8s$4sB<46jM`wbB zwLbFI!06FLFSd{`-wbnX)`O_Iw9hR6Ta`Wm0+K}*mC0M#a$4U(qG((1sbYXDM-QYo z#F4QAk9C9;2DCj7C0nq7)m_bm;;$wtY}+(KcM{TQQ(;)3T_-y-`Dpj}U=TG3LNuj3 zpj)pq!Cv%oO^NN`E=ik_%?ZUte)!o?f`M}Dh2j016U;jh#=<*XHlGgnn~wH3x@CG# zRF{@RhwsGdsxy7%yyEzsvVV2tGTdvuR%-HgY!-1dDo})-FZ^u>T#v{KCNwFLv1EDh z7@S>-6J1qk?Z8XU%n~(H|emZ4CPsJ61YSelD-W-VG-* zo1(*}F3?ZFlpXQJ<<|I>mVo8TfzE-(9XWCS$3(`PG{Tb~_SP{h^J!$u)rP+SL=oaW zURZrVwT;*;R~S!B@^u*W7R^sO#jKTnpy%Z~oEj}$3uylL2}A;h8AHrrWg^Au zNpk&rr_O`0VIvGG0H95I1VBSuDP&rRy#|9%%2?3Mdd|Gl{5e&ePZ!c)`xLchSLo({O z83M$59VotY1~;5q!$pi*&0*K4x-YYwZ;rk2DZ#B21SoZZRILOYP1du$47f;a#d?U} zU;$+R_`!zF7VC6Phgtna_p932i55Xg|DT0e#A|a{7)935OHJO`*jM==Iw{L*s1FTb zo$rjkNSs+=XT2vL8}6I^>wTaMWw5B&+d#PfpO&Li=Y6R13D4QI3$YYb z*+ote;o)pid0My*kzxPPAO7tT|3=fz4iWy1hl#xX!_gOr&wo%w)2BDrf3I#i_d*vk z#*FiLMD?fdX}%Yq2%_g{-x-6x4NmaiR&b9S9gI5eFB8wQrd}hLiaL4qS0@|NvYp}P zi+odFutCu%{>C(@@^qWar&{5ZX4uy@icvLO27zLOmy~h%dyaoYjQMB5+dU-zMi`aT zLW~|{Y~o}_bA2EE-YHUpm#$5=*fDp|^-v7G@R#!tmInsSxrZ&A2M+ujkFGVXo=)|J zySITrbYjPO<{^Im2w)XQ*Z_m^kf*>I`PgAlp+g`ycW}=Xr%h?5peQi2d8_IG|6Q3F z>A$vX!Tgi@n(A*0xJhEi>dg-76H^ZekAd7KFMc%0}i7(Z1>so(vwkw zYcJ@EH=5+8*lF?!M0GX}!a#VR=TI__hWP&O>V4nh2Ak03;qzS?V(D{FW1KvC9^2uF z?4q{35xXn*(uGYsW67z%Wksx{e#tfM5=d6%uO7$etL{x+3+xiB?s%qs-5pqYBpbs( zk!@*q&4jT-!w9?h<&^Ek0d{YGhP&SDuBx{ZMl<$abQ(3 zV|9V3f+6$ZQ2+wTpMZTg7H?bon{_Xq?%Bb@&9z&}C(??R6nr2IrFqkP0Og2a(EzP5 zk@jHCjhj6xWtg#AtqU{c=8?N&VPFLgbZ?`U221nf#N(tW6pA!CXg;flty~Tm1Gd0@ zbM|AITl-0+$i0$L+{~T#a!jMU6ERJy+g~lE{m1LGPXG{b@pIxfI4W!+wYuN437EKB z>~p$6+%RH2ztWoZpiNF?uU04WX`1%R6YX@xh=~(8j&v&)( zKF4G0Z!K<1_>{_XlltO@$A(wOY47k8f=5hsaHQH_qQ1L`1IZZP?c@axv?z$@|2fdd z8c+W0En{dpb8`k39g--D&{-qYhVmmp|0lKfIjn`ZJRx3*}^-qiK@0j_6fnL74X4tFP#mEBvH zQ-A=gqhFO*fDP2{y=}=0j>bEkxQoGp8B$cxCY#dSvO1l!zhi{VV(ZE#UQx={zw>YW zIV)*$2K`KmWDVt%A~C9MnK6%>D^PI`ydAmI)caIJf@y(f3>LZl={bV_)6&fVE`@W8 zS}j0n!e;w0@~2448>k;QSdUe^57eX{Wp}{MicPNQ7n>=;F-{M%br1T!$u~vra8(j? zFHosdGjg9@!N(qrL=ne0yyCEz!^T3&{3jZxRygGo>|0fq#LsdzN=57}U97|KO3-|N zgsFYa^evPVKhAnlw&hr_R=Q zc(|KRV29#!D%E;8r{DCX_B+v$%HbD?5&gs}<;T@6vf{^Pz%uX|A!Di^&ZkNR0zbil z9{SKP0+aiCiwpO%kHU0Bi2KQnhnyC$>Rt{dGg$Ie!N_n;E{}`#N`Ik4?mPR1%EY%V z2zJfM3HcSeeIqUSqWXPn9g^`x@>wN|%UAb<&97~XE_S*eRN=RM-fky;X>m;yei~V} z6)ZIBHq$M8`oz!qi^ldv%EA(IN@EML)Z8iPkt&9+*Yt{`U!E;BKIVyBi;djQzj6;~ zxh|fAw>+nGv?CvnU4129EcEgoun>JBlR_NfVzhUeOAz+?oX`<%+p zq9tI>cCw^2e*%Rd^vY4S+5$Fkid17{s`1$}ZKZax$kqHBW(k9w8@5a~}KYps>BE39$z+|Zk#T)*K8@0u$i?7Bcr^--Q) z4Sy-wfs+dkE)YTfScL4l^CJ)P2#qsIDlc*7pDccj+))@;+}I=K*;G2rO>%O1m=BOU zhMc3Qa9miT`;-?Y+tv9a<4Xpc(@fcyCzm0PAE7&!CNtNTK2QYa;Gv~znjWuK%|QPBC)+f z&k?dbLSDFD&v{y^^SRG^5E;%&B7DB|=E>i+07aXEn9@6SjZ4A8NEj0B@a?7JdE!8k zqsn)PkN{(FqEtLonF2LC6;JkFTkN(I+J5eXQqb(F#o)Xh<05R4NW-KpW8&)XQ*z8uLzYr^#kMb3H!4q4WR`TA|X37ShN{k+&; zm=3(o5B1@jMK|wpvy(5=d2x&sIo93WTGRBCq2jnh-WG zU;rJXcetiutE@kw%&d8JD)}F)`Y98V`SaV%N z#bsuqL?c2LYp0aUn%$Svh|Wze%fUsKO6Pp+|6%Op$9YJh_1UqzA^PwazaMjzYeR+g zVqCDvmvoANv0D<2ijP-iPni#}-YcvQUwCmp0fBKd8Lkfx3OK8vUZuM8v83lyZDSkV zq>N|J3DXM|KkGuixHX1|mO_8cKJqWRJaJ9xgLq^$BWEoNa19K3GxU$wjC!XWKm^(w98c^7?Gr*%5mX+-uRX5V)NzJJB?a>*VV>ee!}d(aztC< ze>mzYKlr+|lejiJ>9RI5@jEp2RF$ge=2}g_1|j&cKQDO{*|l^d#?1ljG+wX$Vr{nk-X}OXot~SG5ZRy&P8l> z!(}Opz7_n5jnOwj-y3$vMY!G9XZ7CLt?cwQ9yS)7L@|C}J2mXvH7pBxR4L$1v%f7) z9E|FY zuc_>PnElzO#X&-a*^7473vbBha>Cz-#z4~p5^47?K^UZ{AuqFH*vcO$N~KP1=a`t) zP>r0J79%9cybYoZm}~qU+$uI6wL6yoxm6D52$EGf{%Tfhu#pns#i`HHHbTTPTZSq!vbSM-69H^&~F(w{q6?;7VWglY}J}~?d4OLGta`v9NdFIgC9;u0tfs2wIQ`{ksynsPtL5?$cK8s= z;LMIHsc!3H^zt_!$_lO?^D0yPz2-`8g*u-J{L?OOB6{?d`h$7jrG|*zlMTIiiF(qW z*O>L)d|qt4HroWq?TxJ92Ae?e=;rl{s#exwTb0uT2}O3vWrgIS5?6P7)N@9z|GXru z4VCvrRLC#y4(L!^@2iQ47UU0#r1Ns%3sZf?MUHM=%A=?N-#QokG4m-g-86j^0ez5&2Dos@C|E-w3Z1*E}}isi-gAJcvE4WU)@dtYooh$Q^wn_KsS5 zSm9pjvlG9BUW)dQb1S=lS$sqgzcogIL%pPbxD{+7LbR5xacWYAax%)JmQg&MvW^N> z*70eK5Jwy8k4PTLrPljV+so>aD35ZDD|~7Gr&ELYH~hPK&RSeMIwCH|zeVvm;P$wx z>8}?Jyk;Tc_6q5i15C3k4_g|SD?!vm%xr)usVqfU?8w2t!CDmi?opQcEt)aO*Jl2H zGUc&7Ry35sp7WUjbQFqA_vpPM%3dW9Xq_(=DEgtLj zDxs<_0sD%&R-cBtetPe2A7nfJJ_%nr0K%VfLC&!i_7vQnEyEVFncNbedmX&!jo;m4XpDW9*AX}i`(6Gf10^f#!K8S(On#0UN-F3<5-qD zsHP!IuLMt#Vqr3mWI+(%(lEogbhIAtc__LY{bg*OUl((VBvo}YS2|#PgCfvK8ht{# z(Qu`Y^r>`s_~>)k`%I@@Aao%URAL#E1MqJO)G^Ur2Zw6RKL@U9{92U}%ebcBuG74m z#2(PMGV>Yt1nE}b+=H41j@b4;Vp4Ra^oZ<21<{>tepgCqxXkaPRDm?UhkOrW9^&Ke ze%n)ME#su}B>%wALh-a&9RNSQuZ9>H|6|#wT$x=Qa3gxi__CYs2Zvp3T0bMXD4idE zVkVuF7=0i4EVQ13GDl?p1tF>E(Jv7*=w?P!XXpbK%HZp3nIQ)h0Cv_sB-CN*uN1Cb zI`Y=vqimeXJ)&q^#!ZRO(pSz*4N-Fpte2qw6V@u6X6*a@ zw3w-rrks>Q&sBUdV@Bzw{)G9#N)r1MHXOVSkgi6O+MzN<890w`Sbf2yKO?MUXaprc zCZo+Lm%Own>N)1)$b;dWm>`X z1>xfvt8CT+8p9)8YcD>SwxgY0&i_#yc^t@xOm zKJ@R@*HD?xXyA-Oq(wgB+)1$!#1sBC&f_@xd>oitcrerZ5``*lT$w;2bM$(qQBnm) zlqhkfQIt#GFXg;phTwTs1F zpynVzos_3!`(Tj9NSilK{j+jBvRNBa*n;bMth6zGOQI9R(QXP|DRqs1tQu|s0$D;# z0mm-EJrQK5SoJ7>uiEZo)y-}hZK;1{u9}uc-&o3{hXo(@H%9G$`yl-EE^tvgk6n?7 z)JC?Vze8{X^}FK{mK$11+)-PfT5jEDRQ=#kjS>4@IPu)CJ?UKfSY24xaiXMxJNz57 zQouBPDmJ10a@U=D&)zIC5CLSPSp>N*C+pr!8PC&K9TwM)ebM~lM*D9+ze~itxj?@G zf4Fy65lh4oNr8`*f^=;P?d87n&43hOYvc+5t=R=K9^Fh>hkD%l-CvU$ztnJJ(fiAR zALRy4{TvRiaP$D-v-j{^7oO5g+`xDJx6yST?+)~N4M1wsT%MkujXstc%9kNfXlWZ~ zb&1IL*@~nUr!}8P{S_a$3ZerSoyMdgh2EN%^N4X|Z3s%K-**m{`Q<{sFokUAjm3dN2Zd9=_cVUEw8F6G;$*n_ z*BaO=i{_kK^-qgmzVOcwAz!b`O3m}hSXmGrl{~d+{k>B3Z9Eh|oqCCK|4B`n5rN{D z9!Sh27j`O#3rI52&_6~`yDEdtJ_gZ+&(8FBy}m=`KUdzX?m&aMtY8B3wZD|aw{cp` zUiQ=s3OelceBALP&$tI$%bJfv@s{GTw`hJHY|rVdmm8L>x8qVOubyccWO!|+d0W=1 zqqVMpXEzq!RLw|Nh$SirrKod@2kKEr`rX*unZf@#xi}>;NwM$KW8_a>R z!kB#hvwUz)URDu-o2|usHddT|3YIx#jsexNHcoeP`<*oR*Iapw;wbcZHG#Cma)MAe zlUMJM87~fEf03Aq?{k%-v3B&LVJvban=^z7#MJ5aG7ON`P9Bcqb4p>W)9-Ito@V|b zA9_JyrC}<8D}nx?^T+F3G~0a5Y$VLjQJuIV;`{BY+o9_`?9BLuuH&f)6m-XPDMKlP zc}ZF2`Y>4T8ePr0d}!9A)DM+#UdX=J>)G)%MUNzBF0y;;Iu;L6`^%XhPg6yKQ0@EZ$`wB9kWQbO z^UK?)>t=%!`Bhzc>7HMFD;fu%vX7)MAlTFIy^qcK9?M}hW=HfvQtUQTP-xK=6ZkfM zE=a_lnoYG`$aQWiEpvOLN3?`qJQ3;CfOHJM+C?F2@3i}>Qn=#Hb+#HcifQZW_J>Jc zq46c$InM7FYMh2D2?-ok*ROn45_*#h#b36J|8+R0^G(6v_oyiU9Q@nF1C3m&qu-jZ zTBLaXm9AXVCqRdVKQepYVI|eDK~1Y4UgZ^as7zku#g$5k)xS&D_>BwrDy2#qv@tX_ zQNgWE-hF<%aDda>+0=o?V|R_VnhuX8-}ow9a=xElqMmn+ke_Q`P1YJFA63ZONKWoY zpD>eAT(?p?9UUR|8yyD6eyQU2Qp;r69gK=B)N5;v=jM&Qp4OL-WFIY&iOrblcksVQ z%@bL&HRvf8#D5D-zU`j5kmybW;4q5+%!DJIwc_j_r4IBuAK0?%L{+9_WKraXP~Fl4 z7p^?)=0^p_wVb;F6~FF`Do zZJO1EQBe;%P{-}%z*AQ(zVVLM&s5_um~U|V+2ph9+?PI=ZsX^kguQ%x^QHHX@!Cs7 zbf#JK;+$eb47z=xDyOZcBa$?=#9zk3sBW!uN(h?q+X?ESSKf0v7uH*7Ux;057 zmYpCAyK6%`f4INP7+*|h#zrdAYkPJ=5mRGwqJrT&EWDE<*zT9&osV?G=G?A1w^%1+ zE69)9TMUq}5lKeWb9%`~IAVTWs4Mq;E$do6-Lu>Kj;SX~Bjr=PL1w%o6Xv-8F_U@G zx-y|K{$o6SFuI9fSMCk?s93bsjM}iV-4rqUD*~p^Dv9nYX!&Lfyrd} zSH;lXKRYb(vYfF3OtsPlA{-2m<&~D$H3r8Muj=qM7o1`aw_U3l!glGG@XxY$Knyhv zL^W^J(O-W#@s7MO+b*orw%p@R{m!s&Sn@*8~kHwpMR+jK?B5 z={Ji+F4}aQlTd_&kt80Rr^WHZ_O~h0KBU0Bjx~CsC5#%nti&Zi)X-Q{KJw%bT;_cg z!^f{^@=2}bm+OaqEP5ID7TKIN^7un437XUabq(mWj_z^`#S^{D)tdm|4{oGM-5@6x@*M1U`eZ5%YEus2d%y%bKTQkx|B zW5oE^;EQwqI^Q%{QdzS$-2#D*0oN2QZ%)F~Xx6ot5e?_R@~?vWjlIP$TNKrU7HUSr zao9;hT9Yt;lK?+Gl`H2+_n`*AbW>{{$WsG|FX$CcI9_Dx7|GQz>0 zZl0Dau6p+oEdFhj3-3$h&5q-Lneg&oSxuy1=L-R)5orW!XvGyqCN&{YpvCOrrw{D? zApaK3lt!|A#Ft}Kl=%&b@3cwtxfaiUK}kNy@M;{H+5~WJ&UhJp=zGx1#de>2UbhAp zfT4)wx=eonDmN)#8KqG`nL&jY)KP|uZvG+BqP}}K(ggCvRl+&*8uJ<&`GVwjOv{`MWU5czr~qF@V`cXg?v`;PZh0MI$)x)*+r+>2=!coNhy0t_gk7h z`I^&oJ;-J;7%EMWDG^i|GR;36GJ_3J+?z%<&IQrUpNfEVoxKf4@_jaWIqoaeN=P3X z3+e{RV~a8w{@Z}G|39>goqAkMa3FLF>hm&z8b)4{T=_FX5$&b-U6IF2xVQt&P~w10 zP_Y+Gb|?O+d2K$ww#sOdT*wbx#2NLO<8`bAc)Iin2~Unp3P~_q{#B6pfGTzb{_RR) z2hWWTR{p>OK?b^cZ-Vjn(-WIYl);z8dILkXnycSdn$b2wF_25?g0V1Ax)uv#Ec=;} zcmQG)sfh=#6PHeQIb0VcC;#`(Cja4gwfem2t&Z-8G3pA_weR_*M?UNb^KX7k>_O9>6DQC(u^Y)ujR2sn!xz)7Xuhg*vub22k#{1R*}!e%28yru*UOTmff9cnlxWa?g40&JnhR zum%Qq$t9h=X5sbTJLA)}k0u{L9os{Ow<8<8V72zd{`<)0ah?nZ=Z}K=&U((0@}mmI zj1sD~H2Qm)i3iS{&DQTJYOYR|iYc5KmOAnUD z8yq~kAD9onYft964~%VcJ(c&L!i^)+GwoyVHFfO$T%28o`N)Dm?{PiIc+64MP#MaQ z9%Mh#u9Z%C3q(J{hcKs+g!j?xxCdX;&s@8FR(<&%wARTJq=(vXAW;UOY}cz*SSDPP z>Dcv-Co2#jE}HpW5<;I5+E%=GuXuSYf}be-MEfFfkpofVn|9_}9>vzbGI_*NP*-Bf z{Z6W};PRWYnvcJ!RIb!>aHS`TI#d;KeEF~CDYOGDV&A?+s6YL>=kRLUS|7hmx*dD+ zll$R^R&X$2FRS^^{>vxsLRXIo0k3%VuI817N{+$xPjAOeSZb)9ra!+jk?{5*prDe4>>Fk4EPh>S5cJn^;fGSYCXSV}+$5dA9EuEr&es?)%&Z8>n zm5Dy{cCI^9CVux|xq6~84+9*to5hQ)t?KfL|s(+{g8>nTk?=a19a;g{RPCZfWmemAQJFCBx&1jYm0pzcJQ zCqQ}e#(Z1k{`FW!bx;w3q=38D`-??GH34o?XSyFL_;a*U2jub>Ub;ICLeveH)Qrwb zG;DpwvRFXwY=OcKjrZgYpiI;?@a^2cYJhzVXmm3Pp^I_#eoB3E z%f&8&dSBWUf4qBbOvSv6AFA}bgnc{p?gp!l*UfGFsVSmK#Kj3|$en|+P{hN0WU=_P z^t#F~LRtTgQ734BXfN{$JtdUL3(eNzTeo|%RKhSExoApRrF$ya6$I%Hm5?rB6L&VgzUMvPIqTl!*DiY@>UyKg+AzERrl8Fj2|gy0uC>KEJv=Zn zL6CD^b63AB!)+Ksxj{hdwVG`t@?t7)18azYovHxNHv(dLyPs@X?BI_HT>~Rm<~xN7 zP~UnTkV-pa7-CQSME6JCY{l)?3#-=wEf=R7k-wG-l9oMgpLA0>kRURr0Q#e#it@IU zXP{l==Ntaij0jmS3K=hQ9(^ujlid%dA?RWRdoAcyUhb}=K9g_SDrBW|O58`PBJl@g zcG^R(hq+SMh7%ZjBw|uV#<|45{T4~{sK7XD)~$z8igb(ex_-50+0SZ$cKLoXLT#SP zO%t>0+{FyulvF7b4ynsnBNwk=U}z=@TkS^kRg)4i+q(h30I8XDQJY{~)V|Jy1^vLX z(hv(X43~&PvTcM(D{R-Ihq_mp+0b7{rbT0)7Zb~p(>`@eM~69T)@A)`?a!29P(}IS z+VFh8MF4Bnl+L>md>hb^Yt%kchxLT;eIE9xm^AvvmbGka@sfiGf*Ks`VYd`m?ESSw zkyvhVYDDrHrev1Fk>F%uF53Ds3lM>0fQqpiU=6dambcF@#( z3*s8G$waG%wK{Vzt;u;C1$%V<*fdRf6rrmcBMG(Fn-_YB?~?U-ILQ%TwRz5b863*j zM!{PUj`=MN?I|Pg8ub(_Lh=14F<$)z!t>ZAfDq=n%qqLj{wmPrj|Zu&GW3b zeq`3EtngC@{ynbwlh5v^V9&3x8p&H?dgA@Y`jgwP^J`?IQx7Yn9>Zx@ccYA(+L19| z4-j?lnpd9zruWcvQ z4$vG=G!M$<+8rnIO!Lrq*W8)~>>F6i>1Zhqo{r~Y2ze;&3i@?2ETtf*=iXcTVo-P~ z6tToYH0JnBs8EL0F9f?d$`j)8IzxxlzJ>f6Lyi4uRW2c#?GQ!*9g@(_y${mu8miNc z%`uAm%vRC3a_)Y}k`@Ee$eOKNuxsi&sB%^j7sF$g0x#!k*6zhPxDy>sR2vR!UsAgK zkG#d{h3=&I*54{Om-}sz0b|l0KgC7+A8us$6|jZ|1wr))#+!dFMRt97`fK&e>=uKx z5R^LcO&DqR4RDN+rHw@lo*r&QdO8ADYe#~P6XpBwvD<=hX>?vCI@xpHu&FaU?W26h zV?U29B%hHzjIsV%{V21m>yvcatN6V{dbUFlaMJpg%C7m$u#P^_(!TX7#V#Z(4^$acx zD3iW_wOqto{fxJhONPxajHT?E-lSD#ZzD&|&H3pnU6d$iD@%-$4uv9jaQKn%NhrZ? zT^8&$q+p!rNZwO$&ko3d&n+bRkVl?$V_T|TPoJZFILV2p8}>PJT-c+*_iVT4Tm6p= zDq52p+Z;&NWSaAV(&a3^R%WseIRErxnSi1^d24KBE9o1K~m{ED8ZZ4wF3!{ zCD_OH-1T<*d-NmyrtYmGoloG0_}urOqkrwMSL&YBT)S=5q+coLl4Umk>`>aFg8SR zJNVFVT6j)W7{FS9G8Myyz!)bTGov-tLlb!(K&z(jm1T1@Mw#rnHk9&Mqr4ZCnS6<8 z4kJ)8-aW3!Po|uBuksEpod_dHgt?R1>L;nFs06`_qvxM}50`5&`>Q}nPReJAoxIe6 zK2HzdMeS4`9~EP%#?a+dIe>!w?Q%;)#pB$R@7>Wq`N#w;m`mj4+RX_SHY^&KDlw2p#w?{Ly_q5Ge5pg?~mE zk;iXTb2nO~1*qd!9VR~R`OQi}Y)*iemIFeGRjBW@Pz#8;+fPvS8r?P%S!eEK;|&&_ zua59#JYw)-c=JIC6zUin7-#Zg=XFaP&M)(CI~QP3B>tGR$h_Uu%SN{z6@tStv>9MB z;*Rc;?hMeo`iS{$kB+bM^h_XIm7iMP-zyNdb=#VL(x}pvPq8WrnMw~X#_9^X2iMA9 zen_Jv6sl#C^+aFq;GOZzA#9n_RsJL*&|XDgT4)EF$&caHB!TZCnUtwL78QGu)Kf?dr^g~pfwK;!igE%NFz>f)>@W1v=pG}!J2;Ve2qC^2^WIZH{ZCD|~e zMoEX%)*6G{65G10ji?gTz6ZKV>*(@1c+$f=x;>x3FxP+XnswZ2U$!C6WPV^oyRT)C zH%c3*j_%^!Wq4|&Dw;;D8M#s2<*t*TRWbVnx^1b z9+Sq~=jm62Ru4`$O3A768ygJ_$FGxCpZ0gphDeV%ECs56DH1a)(yF|#@4Z>gPE|$+ z^{Q&ioxWrjLj(lcd6&Hw(>GzbpelV!k1Pk~G&-&pmKSLLL}Rh!mZH3e;!PvnZPCLi zMJV4U(UYBZ9&?N2$UTPC$P@F^r(+M`tCN4yK(rNDFg|UItQKX7pu~oW7At&-M$ly{ zx@$~K$k)!8^{l&T41c*h?e&%21afq@gp%RsF~Ao_7>zHF4jmN7HN4W3t0V2~dt8Yw zw!#9ocY`2Pj~k;D0Z7O7hK+~9#1V)yE(xA6(~xC=nd)%h%Cggpqow4PNZl%N9KSwM zoaaK-FB*pHsu3LfEF&-AA~#T^=+=@kv5x^^{5?L%cx`};ufNc*{Sm%P+GDZdFE&r> z+(gaJ*wJ0ab70;l0CwxG;bfRrYaw3hzc|7PMhFs~(8;c}lEnk*29E_khy68a6uWWC ziCa#Gj;PcXsDu_B0glRF_y@&Reh%R9>D6%1SQ#BtP!kCN;ld<9DiedFNMgBLx&%S` zH<#Gt7>&DJ5k|Lq?DnKcFD$EYu3RrEl*dR=e2m_ZiW9DDL|CkY1Z(k*Bjspl{eBsF z9*$~6F8Q4d7;sDF{``zWnUedhtz~EHy^YYp$1MRvjk9U5^<%91hV!H8Zz(nr>UbcB?gX<4-%0X6D|M1&YM>i!VuWn;i4l zPG z!2!YR95ey6Oz)^ty*e9o0hzi8B`WV&n}as`#$ROfHa8g(UEieuh}VYLR;%3pnhnbR zQ5Ae$=h#oxJ*RJ|8%*%w{BCDoa)PVI919hP2_21~-O$us#LI=Y5OCWu^FC!t=`#mjuMpTMRNn=OQGa50?xaS}3 z8M2u}t=JE*`+NsqN4_-mkotmH16J5prLVLpx+7&$do%prZz$JH?8k)3_jtca!5xa} z*jWU%zTHMK&5uBk0Mgz;lPsD0QQ%eJ-u#o7g|vhtJpTS9U)vUTZc1{ayat`BqouT# z-#{`C&+Ssq3E#)z8DX)aeNN;tqKWN#(kL`Bt~+TyvE-mmo#Hs;7zn)lGO(#h;>DsJ z$5#9yimF5!6i?YCI2iHe$fhZ#TLv^j95qqwYWcbL-`3pD(u=o4l*}??hLN@H>x_ea zrUdG0s|z(D9y0spx;b?WU-g{HPtXmQg}e5Du#o_|_Sxl(1@9)Ls_v>7$;(?eh$|&{ z(PvnWe-S&#OnCAp+(*DuX+$ZIc*nyf2{MJ-sEoh;IbF6JY+^!d5$050wvLGPs=ON14sf)hW%3Qr?Ma2~s`=d`sy!T>)wn9uAF?P=2FK8+kC2sUnqWk|Bt;Jk;cIqAe>s^J zzMX6CvZ0NRQLF~+Sxz>8fxzL?a55f!-4%FT1UQ*-k6AOB;HYbpvR?Lep`q@p$78pm z(Xa9>JdO&vAJ+9w+ql9r%AL10MpeiOr(RhdXT1SL#PZe#(yHE`mruye3MguC2y%6H zFt(FWOR6;|9*NEQN$Z1s?1kGx6Hv;cDS&ma0u+aeKf{WH*4x~JSlDQsN`HX0ne%l>PWF50h|-|8s_M_tmVm~X z=CMv06Vnh9tGT7yBq9vF09NgSZ*@Jhp&Uy_JB0z+dziW@O$ES!(#hh4EjP_>~R zGXA$g9srsCB71=j_|$1UU)K~P}Fu<5j1VSSE# z1-FmPHd&bBz-SoXVo$%SO@M`gG~qYef(@EeSlykQ1MU}FzQmP5Ohe4zN8D@t4n(g4 zkYZ(k4_+d>QyD+Mz~6sdE}TKH z(^YILOaA&F7y}pUX$JeoP^q3v}VCje?#G z*fMe;71c{9gE9T%)4(@DNW4%HVuZxafruAacma|Bw)|_uOeC8O^z|{=>iVJqYEw&Q z;p;68kV9d`zKAMGdK8q|`_->m{=zts#tgujg_eo8A10ypN*>3p-HquFxP~P|k8b1$ zoFCxNPfpr$R{5d#a*a94iR9Z*LB>_?M*A`ntsB@3#8`B4%3m>!0#nTBJ0ah?ZN-Uy zwS=G5pQs#O(s_TbRdNQy2_q_H2owRhQw%lhB9Upz1o<}_v}@K`g_3XZOUIw_?f=k zU+a%aSqW6>l?MS1k2dv8i01mLX!RGhGlTr_fzY~|#alb7<5~pRlArMbd#Dku?z&u~ z&udZas{7!92v(^OyP+SL#6npBl`P%)OHQl=2e6d5sq+RLU<0AJRHnd8!uj(2cp!|< zj}0iZ; z6u~mG4)Q1#rh-V<=WdEb`?JIbh`9j4;0BC)Q!-H>({daaO)`V=XuY$m$ViHB6Qn{?=R z9-2!-^oUod{2EK{?Xw1&Ua=P%Kt>qKG2^rUDa2B3unbqD4irjxeIQ-qWoTHdU6JJE zOCBGB&_lA+VuiMPFxMniOMv4A)|XdM@1sN?U23)wK$FDTeO?v@WJe@`@3LBO5Kl`B z$?!W}lPcSg{veGHRefu+arjwmo8&S~B=py)03cXuew9V9x=q~g(7X$DqjT#Z$yUN% zgw^-=8+Ay6Eho^+(M;$f279xC<>Nha2>VCx`YQAd1xO!}yb=9c*ONIQ$MQ-fO;D#; z5{|wH!m(ydDUvy4Y^_AtXC?(K$yxv$6jt8VOT|d(I;3d>>fD6(BRvi!8nYJ$&`vX_ zkJ^5K1TQ`)fv{ba4V{opPv+JWC0RX%89|54fHvtaTUJkuo&M%CTl=N}q>F=h#x+YqtCip;?|LWE6YvP74Cl7_=m>1PEZ z`#I3)`Fh%~yQf7?f)r56_TEt}KiVbEy)Ld6HTXH(npcA@gD|WZ!k=?t;D9{pgN}vEj zI%0(Ci?5 z`ci?~*B0<%h5Y#RUlL})zoeV**?NGsIg)nWtMw-;Mkk@$-ZlPCe-kH0w5q&Vgey5- z^jgWD5DPE8%Q=omgs=5{6Of~!IUUr@PhCU_4M`YFI}04m9ii(MHg-=eTB&-Sj!DuT z(0VKcGRDyPUN@4Q(E5I*N27KtVxJDyL%@&jarLUD%6jg6;VrCaSasJnZ~W2l-C|=) zzw~(0=0Jio(TT?P7kJ?klMVblHRXIA$L>tu3Bo5sTQ=GUP$V}Q)pWxodg}ywuN_b0 zKCWM(wL7kGs+fBTl35&r3L_U=mKdOMeVTFP-DuH5qu~<9INgJUBq_6@$W>_JQ@ZcD z+Roql1&y()R6R9{_V+^6Xoo5vdZjAbqqYlB?g4(R10MZ?Efy{s&zw4a_l!MHco<(3 z?ob%7IGg0md-+1II!_?-FMWWI|3HYOw}t%!70E{6T(ynH?oL>&o^rvBezYnb))ljX z_iKguuE!d+?c`DwpARWth6rrh3%GI0eHuKhu$lZRef*r5HPoRJAjx;lYBQWRbA1K? zx2$pFDBe=#%)aAmRrBum-jc2%VLAJIWv*?(&Gx159Z<@e^IFs(u@z-^ruGH6X0~sW z4EcH9PtvwOk_G!e0+f9Kdnk1V18%jzc?jFUPBL?#|N1O{?mKIS$D19$2C>#vSF<^b z+wTsgHqKqqt2T1o9*?@93&3e*vPciqVU3H_TkSfD^$!-7YAZJ6ZoeA!{%MsabPl9r z`mR&#;&oTbvE)%)d{H%@Lh&K{#*XVg029QmU3Q@h?e8qbwPP16Cv~mc?WVf!;5w>* ztoE*9IOCnsqMrjGLk;j3e08qm0pZ6ia2r6s{RNB4J9WM>Axo(Li zipAy|?Lgi%MR1F%Kdbccke)$9Hz{{q7!>i;HmUn>%z4d<&5{nS=T_77d%gY(2*hR2 z8d%Rd{DOG{v12A}HWOBQ^?KL#X)Z5o<5<#>+)}(Hg|JQ{L3b(ixTgS+5o8Y%Z(wB- z$6r2>8H?!kAv{4R)Z%8mO#M-`!7_fx_;#28?{Cx(3X@xQIn?wzY`6Y)SnWUgnRLuV z$CVzxo#|kRUKrj{i`l@%Jt>D3_HsT{JRmaEv5hLS8pTWg1+Gf@_1Hs07OX8%;6-^v zN#4GQ6nC+Ou`p2YL@cYQV}8{*_R}a88haFgJtn*w9H`eCxXqZh&{#9yupCvo!ItG4 zAH|yvwkEX)BtykZxdC|a+G^X60gjE~XSaae2;-g!VPISf6Qh`nsf7(XMW*98vE%!{ z&^=>B#4I;a2j7+h0BU!zy!6ELGGs_$Wr1J3F8xTCB~bNyhyKlezvnLvixt zQF#S=@)-R0D0Xi}&2zG4o$p0)R3k?rfgD9TM;5ACm+cv`2pi*NZum!+7Z>h~dj{cH z7ZTg|rnTAK&T;BgVT~E%+JcL+eMI?{nLam?A{~Rar~IUaLGi?L31vTWs71RNihQ82 zJ=W1MP}}`QcLXl;!hQUd-+^-16-{3U`mZqU zm&eMm60~>W_+d(!r_Qzy>K7NcTP9>Hx zVaRJ-tV$cMAUJ`$N%=t2l%CzjcrADD>08-rMrtJ!Zqjl){!LIya*3caB99it0Z@CX z*oeCJ*|v}X$0B!gbvtKBJua4DxY5V_DWgum*kJQ+yS1=+L`|^)F1!hj77_ev-J_bp z)_Z^J+BHI5l0qYFrcY ze<-^$`a$C4GAw+CmC=GaoMec>OHIy`iPyl3Iia2Y`{+Vlbo%(k2%?jSg1|?qjj#Hh zMq})IZSHTdW_DAcXv8(M%m5g^ZWc3 zc>#DcA71Hc1F;@KcQZuk`Y+bpZ!)RY1JUg65FyeRJ|B-FN7Q;kVpkywq*I#VQQl?p zM45EBO+(YNE6g76N_7`mBpAdrdz+jq?Lg72Int9^j=mO!;SEO0m<(dVB(@JE8BE7B z&mPODvGer*S4Grn)qByz7Y!JqQXxkJjCTgv&q3ucCj3kfXZ7t=wUf~^WYgVxaN!l1 ztEOx0{ulD7@D$UtU|4$laNfG|gFVVl@ofU&`Lt3h6On$OKL7Z6Z@gqQ<+SSyraQM? z>}wQJ(yinysyBfB3M~AD)DhbIO#_!zo3tC4^~94K_&mX*IrRwqXSNmCbF{PAQQ`dU zK|M0V1PNz?MTVz2TizeXqjWL%{yfE0nUSelhfML4m4rLLEA1LiJj1o^hk!;=0ZbK^ zQb2g)@Iarf2c);!9`U<@te(LBp{w=KJ8^TO+yv=nRPVC(G=2=}i3C6;Hu0gIS2p$W z$3G`4&9>*7Ax6GOKPL;kol6Sm7(Ip3c~&LPWDa_q_=Po?QV$ zU5sxDaG(53O=ZmnKU|pues(HN4ZuWuB&beR5*sBd7RUIE>SWSJ;CA>UA9{1AdvKoq zDxeEn^5#qg2S0FcH~^d)4#4Z8$$O&y7|Sw|cpO+9+OwVQ`hV>R4O|e#vJjV9@aDAE z8*C0u04{yXTdkLVp6l=5nF1_XIs?GfavxBwxHZcR*}fO{+h_$n1Z(?^KR!Bh9QGQ8z98WR6Mtr7}WU+Xg2DVfjm(+PcA$vHmfpdgr z%dyfnqJbzjUUikgpH#N{E{ihDGJ7Ye8ve%2u<&?MbjOKZh7)abFh zlqd^th^Fa}_I9XS3|)k@R(P#5O8H_rqF3oixD#e`S~@k~&e1#Tk%bd#$=r*00S~BQ zcu*$Uq!kD?3FN(qE=Tt-%cm&6G`Kt+f9U?n2|5Cd9<;(i=<0(3N<9XtWio_>@-W!( zA*tg5v7OAU!235$;4yg~jrtW*+;L7N@TdkzwC%dnrXM*6Nc{R}0ZMd%~}*z8s}7~ih4PT5AaJ(I;0 z3dza1)Qi67zjhZf@nWO!oaJ^_G3G?eq9oQB-Q_Ob01zxGdt_Yh;9n|B9M=z$UXIf^ z&3LQbXavX%-w0|}fpP9yV9Y0%kqL>O4VivDk);hdUor?7D#v!MkJCqkZW_oM8mjQi zu4r&veB_(IbcyPf5dL-UKqRY(LZj6&Nny%$Q7J_}XW1!XvWYq-3M28~Pn}OhY&AO6 zDJ!E_g=%MeVWqZLH_S4*O?>b|dApq<^8kD@jN%EkSJsFX=gTToWcj?M1rl1e03_V& zpP}Pae0Cw#oGq79GOCX>JZoC%7(RogK1^#lJ8-`6A-IF!hVA((cU|=&4c7e7e0dTx z-p!!i`;_v7q3(w1C>K6}imQSrQGxW05Q-|hRAPUMJk;T?n0%$Lg&ut@WR0L*4L#s* z6$j_u{&(}k5$2s-LR!0UyYOv;0>V3x-Sc1Sw(o-V{+-77b-B}_N1{cWMmfj6z1L4 z*LixMJ`g1k(%_IDbGSx~^07RJ>>hW=T_MK3`jok!UuzF@Kp?j5w*CV7WfK4RvKnAP zVIjAVyr_o~rF#CRV9kN_YHyw0`NC$Xh1i(gIZ#kOBH{UAG_Z|;kP{vikCaQ?C6xc*=WD-l>;M8Dh8*8b z;H#Ld|3&3rGsF;rUFR?xbjW~WfOcxyx>e(st8a&6X`sj2;zIO_r&%iJAFaACuIjuq z@pWd5OFh2>&*^Cv3p^R-^u@6(6?v^Wj|DcOgW_{dAYBa12L*k(QEFhUi5&K3?Imw@ z26DNqYVDVc0@%a}h_GS`p-nGYkjrVx=Ge&C7tn13hQ4uJveF+CjE-$W46rSU`WD zf^4dl6~v*rk5M*BS&28OfWH8IMt%3VII>*AleqU2a6a&!nI}em*SkO81Yx{O*q3@WC9}&H z8UMDlov8>;$NY+rh=nSELUOF}T0{EmT7W6SwErvZ!K^l zgQvX_iyR~!n5(-*WWG*lI{+o}$C)(S9|8R4f)V|Z;{`C7Wy@+b8B9|!WCU0a@#69) zUsfcZ$GOnrE;Uv<2;e+ld%dyZaqxTIvrR=aZ;=REf_nV%-!}aM09%|Tpx^;uFS?8V z=BKGY-rqE!MOU`n6k8<72ONT@=lUX!1Avh*W^^yd3J}$b4!T(s+Yo`1>KWnFPc(k0Gi|KVXiirCXD3q}H|S%7UC#>(BtEr|*S4d}xtm9@-0nq1QFI zg*5nquQuV4aZ78gT-ewEqej?0h#F6TF`*fgVZ_rL^T~soc+vuL>}knj(C&kUQ4t&m zdjlqe_{zf<1ML^iD?M--8u*}M?WX45N3dcn=1??!|8{N$OVb?ue(LVh=wDsC(*L~% zVAIvj34O%irihi)IMQAuvbfxBF**W};&eAe`2iESDB>sTf0;jUmjton)m;R@rajeZ zxpLhKG^f;fuIWXz03Ha+e|aGPy!0&v>}2-cks5z5Nr10`YYl!s9ME`az}1}sCID)W zqRLczoC@Z0YO`lJ;Tmwp$N%s5x+%3?-6O#Vo>_PFV8J`&9desTCTj|ywMk5QdOgsX z%XAF$An@IGLEg^rZ`U3mSHevm{i{nr{+cFmCB^^Z(l}jsC%8^;4Lq5=X*Vv1e--?5Y5ZBz|9oP1{=8TJ{9y{=uS*o!stCz- UcYff%c" block for - the directory. This can be used to select different - authentication behaviors in different directories. It is - undefined if there is no "AuthExternalContext" directive. - - IP the client's ip-address. - - HOST the host name corresponding to IP, if Apache has - "HostnameLookups On". - - PATH the httpd's path environment variable. - - COOKIE all cookie values passed in by the client. - - HTTP_HOST the server's host name, as given in the HTTP request. May - be useful if you have multiple virtual hosts sharing an - authenticator. - - URI the document requested. This is the URL including any extra - path information, but not including the hostname or any CGI - arguments. - - These may be useful for logging, or you may want to accept logins from - certain users only if they are connecting from certain locations or requesting - certain documents. - - Note that if you have configured Apache with "HostnameLookups Off" then HOST - will usually not be set. If you really want hostnames, either turn on - HostnameLookups or do your own gethostbyaddr() calls from the authenticator - when HOST is not defined. Note that if the user is coming from an - unresolvable IP, then hostname lookups can be very slow. - - Note that using IP addresses to track a user through your site is not - reliable. Users of services like AOL and WebTV use proxy servers, so that - their IP addresses appear to change constantly since each request may come - through a different proxy. A single user's requests for successive pages, - or for different images on the same page may all come from different IP - addresses. - - The PATH environment variable passed to the authenticator is just whatever - PATH was in effect when Apache was launched, and may differ if the server - was launched automatically during a reboot or manually by an admin. - Probably your program should set its own PATH if it needs one. - - The COOKIE environment variable contains all cookies set in the current - request. This has the same format as the HTTP_COOKIES ("key=val;key=val") - passed to a CGI program. This should be used with caution. Cookies come - from the user's computer and might have been created, editted or deleted - by the user rather than your website. This severely limits their use for - authentication. It is not possible to set cookies from an authentication - module. - - The URI variable is there because various people want it. Mostly it - is useful not for authentication ("who is this person?") but for access - control ("is this person permitted to do this?"), and good design usually - dictates separating those functions. Strictly speaking, an authenticator - is not the right place to be doing access control. However, - mod_authnz_external is 50% a kludge-builder's tool, so we won't fuss if you - want to break the rules. diff --git a/mod_authnz_external/CHANGES b/mod_authnz_external/CHANGES deleted file mode 100644 index 23da9e6..0000000 --- a/mod_authnz_external/CHANGES +++ /dev/null @@ -1,345 +0,0 @@ -v3.3.3 (Josef Liska & Micah Andersen - July 22, 2019) ----------------------------------------------- - * Added METHOD environment variable to retrieve the HTTP request method - (e.g. GET, HEAD, POST, OPTIONS, etc.). Thanks to Vijay from Google Code. - * Fixed a bug with incorrect parenthesis grouping when checking the result - of the external process in exec_external(). Thanks to @dcb314. - * Added the "GroupExternalAuthNCheck Off" directive to disable the check - for a previously authenticated user when using *only* the group - authorization module. If you use *any* user authentication module in the - same context, this may be undesirable. Thanks to Micah Andersen/BIMI. - * Fix launching external processes on Windows - many programs require the - %SystemRoot% environment variable to function properly. Thanks to Micah - Andersen/BIMI. - -v3.3.2 (Jan Wolter - Dec 12, 2013) ----------------------------------------------- - * Replaced reference to remote_ip field of the connection record with - useragent_ip, due to the elimination of remote_ip in Apache 2.4.1. Thanks - to davidsansome and cjwatson for pointing out the need for this. - * Fixed a bug with setting of GROUP environment variable. Thanks to - ddarbyson for reporting this, and Guoan Hu for posting the fix. - * Added test/test.pipe.php, a PHP version of test/test.pipe contributed - by Claus Andersen. - * Spelling fixes (as seen on lintian.debian.org). Thanks to klemens/ka7. - * Fixed Windows build by defining out Unix-specific signal code. Thanks - to Michal Pokorny . - -v3.3.1 (Jan Wolter - Oct 12, 2011) ----------------------------------------------- - * Deleted most of the sample authenticators from the distribution. They - are mostly old and crufty or available elsewhere. No need to clutter - the main distribution with them. - * Added code to support caching authentications with mod_authn_socache. - This is enabled by the "AuthExternalProvideCache On" directive. This - feature should be considered experimental, since mod_authn_socache still - seems buggy and it's interface may not have been finalized. - -v3.3.0 (Jan Wolter - Oct 6, 2011) ----------------------------------------------- - * Revised to work with Apache 2.3 / 2.4. Will not work with previous Apache - versions. - * Deleted 'GroupExternalAuthoritative' and 'AuthzExternalAuthoritative' - directives which are obsolete. - * Deleted 'GroupExternalError' directive which is superseded by Apache's - 'AuthzSendForbiddenOnFailure' directive. - -v3.2.6 (Jan Wolter - Oct 6, 2011) ------------------------------------------------ - * Modified parsing of "Require groups" line so that you can have group - names that include spaces by enclosing them in quotes. This change - suggested by David Homborg. - * Default action of Makefile changed to "build" not "install". - * Corrected an exploitable SQL injection flaw in the sample mysql - authenticator. - * Add references to version 3.3.x to documentation. - -v3.2.5 (Jan Wolter - Oct 29, 2009) ------------------------------------------------ - * Fixed a bug introduced in 3.2.0 in which data for checkpassword-type - authenticators is written to the authenticator's stdin instead of stderr. - -v3.2.4 (Jan Wolter - May 20, 2009) ------------------------------------------------ - * Dropped the radius code from the distribution, because of possible problems - with it's license. Thanks to Hai Zaar for pointing out this problem. - * Modified AuthExternal directive to be able to take more than one - authenticator name. If more than one is defined, then each authenticator - is run in turn, until one succeeds or all have failed. Probably a similar - change should be made to GroupExternal, but it hasn't been done yet because - it's a more complex change and nobody has asked for it. Thanks to Andreas - Ntaflos for suggesting this change. - * Inserted code to restore SIGCHLD to default before running the - authenticator. Sometime other modules (like php built with the - --enable-sigchild option) leave SIGCHLD messed up, which would cause - problems with getting the return code back from authenticators. We - restore SIGCHLD to whatever state it was in originally after the - authenticator terminates. Thanks to Stefan Mehlhorn for reporting this - problem and providing the help needed to diagnose it. - * Clean-up of handling of return codes from apr_proc_wait() to be more - formally correct. - -v3.2.3 (Jan Wolter - Feb 26, 2009) ------------------------------------------------ - * Added GroupExternalError directive, which allows you to specify the - HTTP error code to be returned if the group access check fails. - Default is 401, but you may want to return 403 if you want to show the - user an error page instead of asking him to login again. Thanks to - Peter Crawshaw for this patch. - * In hopes of getting to a more consistently named set of directives, - added new aliases for two old directives: - GroupExternalAuthoritative alias for AuthzExternalAuthoritative - GroupExternalManyAtOnce alias for AuthExternalGroupsAtOnce - Documentation updated to refer primarily to the new names. - -v3.2.2 (Jan Wolter - Dec 1, 2008) ------------------------------------------------ - THIS RELEASE UPDATES DOCUMENTATION ONLY! - * Improved documentation of AuthExternalContext directive in the INSTALL - file. - * Added documentation to the UPGRADE file on interactions between multiple - Require directives. - -v3.2.1 (Jan Wolter - Jul 31, 2008) ------------------------------------------------ - * Added AuthExternalContext directive, which defines a string that will be - passed to the authenticator in the CONTEXT environment variable. This can - be set from the .htaccess file or the block to give slightly - different behavior from the same authenticator in different directories. - Thanks to Olivier Thauvin for this patch. - -v3.2.0 (Jan Wolter - Jan 7, 2007) ------------------------------------------------ - * Rewrite external authenticator launching code to use Apache's cross-OS - process/thread library instead of directly calling Unix functions. - Theoretically this should get us much closer to being usable on non- - Unix platforms. - * Support alternate syntax for configuration, using DefineAuthExternal and - DefineAuthGroup commands. - * More detailed error logging. - * Much cleanup of documentation. - -v3.1.0 (Jan Wolter - Feb 17, 2006) ------------------------------------------------ - * New authn/authz version for Apache 2.2. - * Renamed from "mod_auth_external" to "mod_authnz_external" to agree - with new module naming conventions. - * The more secure "pipe" method is now the default, instead of the old - insecure "environment" method. - * Eliminated "AuthExternalAuthoritative" directive. Instead use - "AuthBasicAuthoritative" for authentication and "AuthzExternalAuthoritative" - for access control. - * Substantially rewritten to function as an authentication provider for - mod_auth_basic instead of a stand-alone authentication module. - * Eliminated duplication of documentation inside mod_authnz_external.c file. - * Addition of UPGRADE document, and update of all other documentation. - * Normalization of many variable names and other clean up of code. - -v2.2.10 (Jan Wolter - Sep 29, 2005) ------------------------------------------------ - * Renamed module from "external_auth_module" to "auth_external_module". This - seems to be what is wanted for static linking. - -v2.2.9 (Jan Wolter - Sep 25, 2004) ------------------------------------------------ - * Small corrections to 2.0 defines, thanks to Guenter Knauf . - * Pwauth removed from this package. It is now distributed separately. - -v2.2.8 (Jan Wolter - Jun 30, 2004) ------------------------------------------------ - * Trivial documentation improvement. - * Clarification of docomentation on use of pwauth options UNIX_LASTLOG, - FAILLOG_JFH, and MIN_UNIX_UID with PAM. - -v2.2.7 (Jan Wolter - Oct 23, 2003) ------------------------------------------------ - * Pwauth gains IGNORE_CASE and DOMAIN_AWARE options, both aimed at making - work more easily for those used to authentication in Microsoft environments. - Thanks to Peter Eggimann for these enhancemen - * Fix one bit of remaining Apache 1.3 api inside HARDCODE block. - * Grammar corrections in AUTHENTICATORS file. - -v2.2.6 (Jan Wolter - Aug 14, 2003) ------------------------------------------------ - * Minor improvements to debugging notes in the INSTALL document. - -v2.2.5 (Jan Wolter - Jul 11, 2003) ------------------------------------------------ - * Pass local hostname (or virtual hostname) to authenticator in HTTP_HOST - environment variable. Thanks to Steve Horan for - submitting this modification. - -v2.2.4 (Jan Wolter - Jan 12, 2003) ------------------------------------------------ - * Documentation updates for OpenBSD and minor OpenBSD portability fixes to - pwauth. - -v2.2.3 (Jan Wolter - Oct 21, 2002) ------------------------------------------------ - * More update of installation instructions. Thanks to Sven Koch - and Joshua Polterock . - -v2.2.2 (Jan Wolter - Oct 14, 2002) ------------------------------------------------ - * Partial update of installation instructions. - -v2.2.1 (Jan Wolter - Jun 24, 2002) ------------------------------------------------ - * Corrected undefined symbol in _HARDCODE_ option. Thanks to Phil - Benchoff . - -v2.2.0 (Dave Woolaway, Sven Koch & Jan Wolter - Jun 22, 2002) --------------------------------------------------------------- - * Ported to work with Apache 2.0.28 by Dave Woolaway - * Independently ported to work with Apache 2.0.39 by Sven Koch - - * Version merger and insufficient documentation updates by Jan Wolter. - -v2.1.15 (Jan Wolter - Jan 22, 2002) ------------------------------------ - * Added MySQL-auth to distribution. Contributed by Anders Nordby - . - -v2.1.14 (Jan Wolter - Jan 1, 2002) ------------------------------------ - * Minor clarification to documentation on virtual hosts. - * Minor update of description of pwauth in README file. - * Correction of AIX compilation instructions. Thanks to Mathieu Legare - for this. - * Fixed name of GROUP environment variable in pwauth/unixgroup script. Thanks - to Jeroen Roodnat for pointing this out. - -v2.1.13 (Jan Wolter - Jul 31, 2001) ------------------------------------ - * Pass AUTHTYPE environment variable to external authenticator. This is - PASS if we are doing password authentication, GROUP if we are doing group - authentication, so the same authentication program can easily be used to - do both. Thanks to Dan Thibadeau for this. - * pwauth can now be configured to work for more than one UID. - * pwauth/FORM_AUTH updated to discuss suExec. - -v2.1.12 (Jan Wolter - Jul 9, 2001) ------------------------------------ - * Fixed erroneous variable names in _HARDCODE_ stuff. Thanks to Phil - Benchoff for this fix. - * Added pwauth/unixgroup, a simple perl unix group authenticator. Hope to - replace this with a better solution someday. - -v2.1.11 (Jan Wolter - Apr 25, 2001) ------------------------------------ - * Arguments may now be specified for authenticators on the AddAuthExternal - command. The whole command must be in quotes, no shell meta characters - may be used, and there is a limit of 32 arguments. - * Support for the checkpassword protocol, allowing use of checkpassword - compatible authenticators. Thanks go to Matthew Kirkwood - for submitting patches for this. - * Mod_auth_external now passes the URI environment variable to all - authenticators, giving the URL of the requested page minus hostname, - and CGI arguments. Thanks to Charles Clancy - and Niall Daley for independently submitting similar - patches for this. - * Fixed a possible buffer overflow problem in the HARDCODE section. This - is unlikely to have been an exploitable security problem but could - cause a crash in rare circumstances. Thanks go to Bradley S. Huffman - for pointing this out. - * Example programs in test directory log command-line arguments. - -v2.1.10 (Jan Wolter - Jan 9, 2001) ----------------------------------- - * Fix a pwauth bug that could cause segmentation faults when compiled with - the ENV_METHOD option. - * Add documentation on how to use pwauth for form authentication. - * Clarify documentation on configuration for SSL servers. - -v2.1.9 (Jan Wolter - Jul 7, 2000) ----------------------------------- - * Correct documentation to reflect the fact that Solaris *does* have a ps - command that displays environment variables. Thanks to Piotr Klaban - for pointing this out. - -v2.1.8 (Jan Wolter - May 3, 2000) ----------------------------------- - * By default, pass all group names at once to group authenticators. To get - old one-group-at-a-time behavior back, use the new directive - "AuthExternalGroupsAtOnce off". This modification contributed by - Rudi Heitbaum . Thanks. - -v2.1.7 (Jan Wolter - Apr 3, 2000) ----------------------------------- - * Pass COOKIE environment variable to authenticator with cookies from current - request. Is this a good idea? - * Added rather dubious HP-UX support to pwauth. Untested. - -v2.1.6 (Jan Wolter - Mar 23, 2000) ----------------------------------- - * Added documentation about installing as a dynamically loaded module. - * Added documentation about "AddModule" command for RedHat installs. - * Lots of other small documentation improvements. - -v2.1.5 (Jan Wolter - Jan 6, 2000) ----------------------------------- - * Improved documentation on writing authenticators. - -v2.1.4 (Jan Wolter - Jan 4, 2000) ----------------------------------- - * Oops, PAM support in v2.1.3 didn't work after all. Many fixes, including - Work-around for Solaris 2.6 appdata_ptr=NULL bug. Huge thanks again to - Peter Arnold for help with testing. - * Generate compile-time error if Apache version is older than 1.3.1 - * Better code to get lastlog path for pwauth. - -v2.1.3 (Jan Wolter - Dec 17, 1999) ----------------------------------- - * AuthExternalAuthoritative directive added. This code contributed by Mike - Burns (burns@cac.psu.edu). - * Testing of PAM support in pwauth under Solaris 2.6 by Peter Arnold - . - * Many clarifications to install manual and other documentation. - -v2.1.2 beta (Jan Wolter - Jun 28, 1999) ----------------------------------- -PAM support and minor bug fixes. PAM support in pwauth is based on code -contributed by Karyl Stein (xenon313@arbornet.org). Not been fully tested. - -v2.1.1 (Jan Wolter - Mar 10, 1999) ----------------------------------- -Various small enhancements making better use of Apache API. - - * Better memory management, eliminating all use of fixed sized arrays. - * Child process calls ap_cleanup_for_exec() to close any resources (file - descriptors, etc) left open in the pools. - * Cleanup of error messages. - - -v2.1.0 (Jan Wolter - Mar 5, 1999) ---------------------------------- -Significant rewrite, rolling in changes from various divergent versions -and a number of bug fixes, and small enhancements. Changes include: - - * Better checking against overflow of various fixed sized arrays. (There was - already some protection, so there probably wasn't a big security problem - here.) - * Set environment variables in child process, not parent process. This - prevents them from being inherited by future spawned children. - * Check WIFEXITED before acceping WEXITSTATUS. - * Elimination of memory leak in strdup() calls. - * Check return code from pipe(). - * Don't close standard output on child process, instead direct it to error - log file, just like stderr. - * Don't use system() calls. Instead do direct execl() for faster launch - and better security. - * In pipe method, the "user=" and "pass=" tags are no longer given on the - login and password line. - * Pipe method is supported for group authenticators as well as user - authenticators. - * ip-address and host-name are made available to authenticator in IP and HOST - environment variables. - * Updated and expanded comments up front. - - -v2.0.1 (Tyler Allison) ----------------------- -I received a patch update to mod_auth_external v2.0 that supposedly fixes some -pipe related bugs. I do not have a program that uses pipes so I can not test -it myself. I have included the original v2.0 with no patch applied that you -should use if you run into problems and you DO NOT need pipe support. diff --git a/mod_authnz_external/CONTRIBUTORS b/mod_authnz_external/CONTRIBUTORS deleted file mode 100644 index 1bdec85..0000000 --- a/mod_authnz_external/CONTRIBUTORS +++ /dev/null @@ -1,52 +0,0 @@ - -mod_authnz_external is based on code from the following sources: ------------------------------------------------------------------- - - * Original author: Nathan Neulinger (nneul@umr.edu) - * Based on code from The Apache Group - - * Previous maintainers: - -------------------------------------------------- - Tyler Allison (allison@nas.nasa.gov) - Jan Wolter (unixpapa.com) - - * Past contributors (from CHANGES): - -------------------------------------------------- - Various unnamed contributors - Karyl Stein (xenon313@arbornet.org) - Peter Arnold (PJArnold@uq.net.au) - Mike Burns (burns@cac.psu.edu) - Rudi Heitbaum (rudi@darx.com) - Piotr Klaban (makler@oryl.man.torun.pl) - Bradley S. Huffman (hip@a.cs.okstate.edu) - Niall Daley (niall@neoworks.com) - Charles Clancy (mgrtcc@cs.rose-hulman.edu) - Matthew Kirkwood (matthew@dev.sportingbet.com) - Phil Benchoff (benchoff@vt.edu) - Dan Thibadeau (dan_thibadeau@hp.com) - Jeroen Roodnat (jroodnat@xs4all.nl) - Mathieu Legare (legare@uqtr.ca) - Anders Nordby (anders@fix.no) - Sven Koch (haegar@sdinet.de) - Dave Woolaway (dave@watersheep.org) - Joshua PolterocK (joshuap@sdsc.edu) - Steve Horan (sjh-mae@horan.net.au) - Peter Eggimann (egp@zhwin.ch) - Guenter Knauf (gk@gknw.de) - Olivier Thauvin (nanardon at mandriva dot org) - Peter Crawshaw (pcrawshaw@mta.ca) - Stefan Mehlhorn - Andreas Ntaflos - Hai Zaar - David Homborg - Claus Andersen - ddarbyson - Guoan Hu - davidsansome - cjwatson - Vijay - dcb314 - Michal Pokorny (agentydragon@gmail.com) - klemens/ka7 - Josef Liska (josef.liska@virtualmaster.com) - Micah Andersen/Baptist International Missions, Inc. (micah@bimi.org) diff --git a/mod_authnz_external/INSTALL b/mod_authnz_external/INSTALL deleted file mode 100644 index 9a93790..0000000 --- a/mod_authnz_external/INSTALL +++ /dev/null @@ -1,699 +0,0 @@ - How To Install mod_authnz_external.c - Version 3.3.x - -NOTES: - - * If you want to use the HARDCODE function option follow the instructions - in the INSTALL.HARDCODE file in this directory before following these - instructions. - - * These instructions are for Apache version 2.4. This version of - mod_authnz_external will not work with older versions of Apache. - Other versions are available for different releases of Apache: - - Apache 1.3 mod_auth_external-2.1.x - Apache 2.0 mod_auth_external-2.2.x - Apache 2.2 mod_authnz_external-3.1.x or mod_authnz_external-3.2.x - Apache 2.4 mod_authnz_external-3.3.x - - You can check your apache version by running it from the command line - with the -v flag. - - * If you are upgrading from mod_auth_external to mod_authnz_external, - read the UPGRADE file. - - * Starting with version 3.2.x, mod_authnz_external is designed to work - on any platform supported by Apache. Previous versions were Unix-only. - So mod_authnz_external might work on Windows, but the author doesn't - really do Windows development and doesn't even own a Windows C compiler. - So it has not been tested at all, no pre-compiled Windows code is available, - and there are no installation instructions for non-Unix platforms. If - you figure any of this out, please consider contributing your findings. - - * Originally, mod_auth_external was a stand-alone module. However a new - authentication module structure was introduced in Apache-2.1, where - mod_auth_basic and mod_auth_digest are the only top-level authentication - modules. All other authentication modules simply provide authentication - services to these modules, and have names starting with "mod_authn_" for - authentication modules, or "mod_authz_" for access control modules, or - "mod_authnz_" for modules that provide both services. Mod_Authnz_External - is designed to fit into this new structure. It has essentially the same - features as mod_auth_external, but there are differences in the - configuration commands. It should be noted that it is still possible to - use older-style independent authentication modules in Apache 2.2, and - mod_auth_external-2.2.x can be made to work with only a little difficulty - arising from mod_auth_basic's reluctance to be turned off. See the - mod_auth_external INSTALL document for information on using it with - Apache 2.2 - - * Do not, however, install both mod_auth_external and mod_authnz_external - in your httpd. I don't know what exactly would happen, but it won't be - good. - - * There are two ways of installing mod_authnz_external on a Unix system. - - (1) You can statically link it with Apache. This requires rebuilding - Apache in such a way that mod_authnz_external will be compiled in. - Nobody does this anymore. - - (2) You can make mod_authnz_external a dynamically loaded module. If - your Apache has been built to support dynamically loaded modules - you can do this without rebuilding Apache, so it is pretty easy. - Performance may be slightly worse with this option. For information - on dynamically loaded modules see http://www.apache.org/docs/dso.html - - Instructions for both options are given here. The dynamic loading - option will probably be preferred on virtually all modern installations. - - * There is also documentation in the README file and in the AUTHENTICATORS - file. If you find this document unclear, reading those may help. - - -INSTALL METHOD A: Dynamically Linking Mod_auth_external using apxs: -------------------------------------------------------------------- - -Step 1: - Ensure that your Apache server is configured to handle dynamically - loaded modules. To check this, run Apache server with the -l command - flag, like - - httpd -l - - If mod_so.c is one of the compiled-in modules, then you are ready - to go. Note that some installations may give the http daemon different - names, like 'apache' or 'httpd2'. Some may have multiple copies of - apache sitting in different directories. Be sure you looking at the - one that is being run. - -Step 2: - Compile the module using the following command in the - mod_authnz_external distribution directory: - - apxs -c mod_authnz_external.c - - 'Apxs' is the Apache extension tool. It is part of the standard - Apache distribution. If you don't have it, then there may be a - Apache development package that needs to be installed on your system, - or your Apache server may not be set up for handling dynamically - loaded modules. Some systems rename it weirdly, like 'apxs2' in - some openSUSE distributions. - - Apxs should create a file named 'mod_authnz_external.so'. - - AIX Note: For Apache 1.3 on AIX the 'apxs' command compiled - mod_authnz_external.c into mod_authnz_external.o correctly, but - generation of the shared library file failed with a message like - "No csects or exported symbols have been saved." We don't know - if this still happens with Apache 2.0. If it does happen, the - fix under Apache 1.3 was to create a file in the current - directory named mod_authnz_external.exp which contained the two - lines below: - - #! mod_authnz_external.o - authnz_external_module - - Then run - - apxs -c mod_authnz_external.c -bE:mod_authnz_external.exp - -Step 3: - Install the module. Apxs can do this for you too. Do the following - command (as root so you can write to Apache's directories and config - files): - - apxs -i -a mod_authnz_external.la - - This will create mod_authnz_external.so and copy it into the proper - place, and add appropriate AddModule and LoadModule commands to the - configuration files. (Actually, it may get the LoadModule command - wrong. See below.) - -Step 4: - Go to the CONFIGURATION instructions below. - - -INSTALL METHOD B: Statically Linking ------------------------------------- - -Step 1: - Read the instructions on how to configure the Apache server in the - INSTALL file provided with the Apache source. - -Step 2: - When you run the ./configure script, include an --with-module flag, - giving the full pathname to the mod_authnz_external.c file in this - distribution. For example, if you have unpacked this distribution - in /usr/local/src/mod_authnz_external and are building Apache for - installation in /usr/local/apache, you might do: - - ./configure --prefix=/usr/local/apache \ - --with-module=aaa:/usr/local/src/mod_authnz_external/mod_authnz_external.c - - This will copy the mod_authnz_external.c file into the correct place in - the Apache source tree and set things up to link it in. - -Step 3: - Type "make" to compile Apache and "make install" to install it. - -Step 4: - Go to the CONFIGURATION instructions below. - - -CONFIGURATION: --------------- - -There are three parts to doing the configuration. First, if you are using -dynamic loading, you need to configure Apache to load the mod_authnz_external -module. If 'apxs' is working correctly, it should do this for you -automatically, but it doesn't always. - -Second you define the external program and communication method to use in -your httpd.conf file, identifying them with a keyword. - -Finally you set up specific directories to use that authenticator, referencing -it by keyword. - -These instructions talk about editing the "httpd.conf" file, as it appears in -the standard Apache distributions. In many version of Linux, however, this -file will actually just include a lot of other configuration files, some of -which may be automatically generated by various GUI configuration tools. I -include notes on some of these variations that I have encountered, but you -may need to do some of your own figuring to find out how to adapt these -instructions to your server configuration. - -(1) Configuring Module Loading: - - This step is only required if you are using dynamic loading. In theory, - apxs will have done it for you. If you are trustful, you can skip ahead - to step 2 and only come back to this if things don't seem to be working. - In cases where you are using multiple non-authoritative authenticators - you'll probably want to check this manually, even if apxs works right, to - ensure that the modules are loaded (and thus envoked) in the desired order. - - (a) First, you should make sure that there is a proper "LoadModule" - command in the httpd.conf file. This should have been put there - by 'apxs' but, some older Linux distributions, like Redhat 6.1, - messed it up. Basically, the 'LoadModule' command should look a - lot like all the other LoadModule commands. Something like - - LoadModule authnz_external_module modules/mod_authnz_external.so - - where the second part is the path from Apache's root directory - to the location where the module was stored by apxs. - - Make sure that apxs didn't put this directive inside any inappropriate - directives, as some Redhat versions have done in the past. - - If you previously had mod_authnz_external or mod_auth_external - installed and are installing a new version, you may have more than - one LoadModule command into httpd.conf. You only need one. Get rid - of the old ones. - - (b) Check you httpd.conf file to see if there is a "ClearModuleList" - command. If this exists, then you need to add a command like: - - AddModule mod_authnz_external.c - - somewhere below "ClearModuleList" command (probably somewhere among - the dozens of other AddModule commands). If you used 'apxs' to - install mod_authnz_external, then this should already be done, but - it may again be stashed in an inappropriate . - - The standard Apache configuration files don't have a "ClearModuleList" - command and don't need an "AddModule" command. However the standard - RedHat configuration files, among others, do. - -(2) Configurating the External Authenticator - - In this section we insert commands into httpd.conf that will be run when - Apache starts up to tell Apache where your external authenticators are - and how to communicate with them. - - It is possible to configure several different external authenticators - into Apache. For each one you need to configure a name, a method - of communicating with authenticator, and the location of the - authenticator. - - The structure of Apache httpd.conf differs widely on different systems. - The notes below on where to put configuration commands assume that you - have something close to a straight apache install, but you probably - don't. Very likely there will be comments in your httpd.conf file that - tell you where to put local configuration. - - If you are using virtual hosts, put these commands at the end of the - appropriate block. The declarations must be *inside* - the block to work for a virtual host. They are not - inherited from the primary host to the virtual hosts. Note that most - Apache SSL servers are set up as virtual hosts, so you'll probably - need to put these definitions in the block for use with - an SSL server. - - Otherwise, just put them anywhere (just before the Virtual Hosts - section of the standard Apache config file might make the most sense). - - Two different command syntaxes are supported in mod_authnz_external. - One that is compatible with older releases, and one that is a bit - more compact, using one command instead of two. - - (a) For External Authentication Programs: - - New-Style Syntax: - - DefineExternalAuth - - Old-Style Syntax: - - AddExternalAuth - SetExternalAuthMethod - - is some name you choose. You can configure multiple - different external authenticators by using different keywords for them. - - defines how the login and password are passed to the - external authenticator. The only values that do anything are: - - pipe read newline-terminated strings from stdin. (default) - environment get args from environment variables. - checkpassword read null-terminated strings from file descriptor 3. - function internal authenticator called as function. - - Pipe is the default. Environment used to be the default but it is - insecure on some versions of Unix. See the README file. - - tells where to find the authenticator. It's syntax varies - somewhat by method (which is why we introduced the new syntax - to - keep it closer to the method declaration): - - For "pipe", "environment", and "checkpassword" methods: - - is the full path where you installed your external - authentication program, like "/usr/local/bin/auth_check". - It always starts with a slash. If you put it in quotes, you - can include command-line arguments, but these arguments won't - be processed by a shell, so you can't use wildcards or I/O - redirects or anything like that. (If you need shell processing - of arguments, write an sh-script wrapper for your authenticator, - and put the path to that here.) - - For the "function" method: - - is a string like ":". The part - is a string that can be used to select from multiple internal - functions. is a string passed to that function and is - typically used as config file path. The ":" is required even if - the is an empty string. - - In the old-style syntax, the path declaration should always precede - the method declaration, and the method declaration can be omitted if - you want the default. - - Here are some examples. We give old style syntax only for the first - example, but it can be used in all cases: - - * For external authentication programs using a pipe: - - DefineExternalAuth archive_auth pipe /usr/local/bin/authcheck - - - or - - - AddExternalAuth archive_auth /usr/local/bin/authcheck - SetExternalAuthMethod archive_auth pipe - - * For external authentication programs using environment variables: - - DefineExternalAuth archive_auth environment /usr/local/bin/authcheck - - * For external authenticators using the checkpassword protocol: - - DefineExternalAuth archive_auth checkpassword "/bin/checkpassword /bin/true" - - * For HARDCODE functions with a configuration file: - - DefineExternalAuth archive_auth function RADIUS:/usr/local/raddb - - * For HARDCODE functions with no configuration file: - - DefineExternalAuth function archive_auth RADIUS: - - (b) For External Group-Checking Programs: - - If you want to use an external program to do group checking, add one - of the following to your server's httpd.conf. - - New-Style Syntax: - - DefineExternalGroup - - Old-Style Syntax: - - AddExternalGroup - SetExternalGroupMethod - - is some name you choose to identify this particular - group checking method. The keywords for login authenticators and - group authenticators are separate name spaces, so it doesn't matter - if these keywords match any you defined with DefineExternalAuth or - AddExternalAuth - - defines how the login and group names are passed to the - external authenticator. Legal values are: - - pipe - authenticator reads data from standard input. - environment - authenticator gets data from environment variables. - - Pipe is the default. Environment used to be the default in older - versions. The "checkpassword" keyword also works, but doesn't - really make a lot of sense since there are no checkpassword - authenticators for groups. - - Examples: - - * For external authentication programs using a pipe: - - DefineExternalGroup archive_group pipe /usr/local/bin/grpcheck - - - or - - - AddExternalGroup archive_group /usr/local/bin/grpcheck - SetExternalGroupMethod archive_group pipe - - * For external group check programs using environment variables: - - DefineExternalGroup archive_group environment /usr/local/bin/grpcheck - -(3) Configuring Web Pages to Use Authentication - - For any directory you want to protect, you need either a .htaccess file - in the directory or a block for the directory in your - httpd.conf file. - - Note that for .htaccess files to work, you must specify "AllowOverride - AuthConfig" in the httpd.conf file for any directories they appear - under. As distributed, Apache sets "AllowOverride None" for most - directories. If this is not changed, .htaccess files will be ignored. - - * EXTERNAL PASSWORD CHECKING: - - For normal user authentication, the following directives should be in - the .htaccess file or block: - - AuthType Basic - AuthName - AuthBasicProvider external - AuthExternal - Require valid-user - - Here identifies what we are authenticating for - it usually - appears in the browser's pop-up login window. matches a - keyword you defined with DefineExternalAuth or AddExternalAuth in step 2. - - If you only want some users to have access to the directory, as opposed - to all valid users, you can list the users on the "require" line, - changing it to: - - Require user ... - - Or if you want to allow only user's whose login name matches the - login name of the unix user who owns the file being accessed, you - can say (assuming you have mod_authz_owner installed): - - Require file-owner - - It is possible to list more than one authenticator on the AuthExternal - command: - - AuthExternal ... - - Here each keyword should match an authenticator defined with the - DefineExternalAuth command. If the first authenticator fails, then - the second one will be run, and so on, until either one authenticator - accepts the user's login/password combination or all reject it. - - * EXTERNAL GROUP CHECKING: - - If you want to use the external group check program to allow only - users in a given group to have access, you could do: - - AuthType Basic - AuthName - AuthBasicProvider external - AuthExternal - GroupExternal - Require external-group ... - - Here matches a name you defined with with the - DefineExternalGroup or AddExternalGroup command in step 2. - - Normally if you have multiple group names on your "Require group" - command, then the group checker will be run only once, passing it the - whole space-separated list of groups. Some older group checking - programs may only be able to handle one group name at a time. So if - you want the group checker to be run once for each group name, you can - add the directive: - - GroupExternalManyAtOnce off - - If you have GroupExternalManyAtOnce turned off, then you can have - spaces in your group names by enclosing the names in quote marks. - If it is on, then all parsing of the group name list is up to your - authenticator. - - If, instead of listing group names, you want to allow access only - to users whose group name (as determined by whatever group database - your external group checker uses) matches the unix group name that - owns the file being accessed, you can configure an external group - checker and then install mod_authz_owner and do: - - Require external-file-group - - The GroupExternal directive cannot (yet?) be used with multiple external - authenticators. - - * USE WITH MOD_AUTHN_SOCACHE - - Mod_authnz_external version 3.3.1 and later can be used with the - Apache mod_authn_socache module, which caches authentications. If - you do this, then after a successful authentication, mod_socache - will remember the user for a settable time (5 minutes by default) - and not rerun the external authenticator again to check their password - until after the timeout. This can be a very substantial performance - improvement. - - It can also be a very substantial security problem. One common use of - mod_authnz_external is to authenticate from databases that are not readable - by Apache, and should not be. For example, if you are authenticating out - of the a unix password file with pwauth, you don't want make the password - file readable to Apache because then an Apache bug would risk exposing - your entire password file to the net. But if you turn on caching with - mod_authn_socache, then the cache it builds up is essentially an - Apache-readable copy of the most sensitive data from your password file. - With some settings, it may even be stored on disk rather than on memory. - The only good thing you can say for it is that all the passwords in that - cache will be encrypted (even if you are dopey enough not to encrypt them - in your actual password database). But encryption is a pretty weak - defense all by itself. - - So using mod_authnz_external with mod_authn_socache might be dumb, but, - what the heck, when have we passed up a chance to give you more rope to - hang yourself with? - - One note: normally when you use mod_authn_socache with one of the standard - Apache modules, a cache entry is created everytime it looks up a user's - password in the database, even if the password they submitted wasn't - the correct one. With mod_authnz_external it only happens after - successful authentications. That's because mod_authnz_external doesn't - have direct access to the password database. After a successful - authentication we can fake-up something that looks to mod_authn_socache - like some credentials out of a database by simple encrypting the password - that the user sent us and pretending we got that out of a database. This - means we don't get quite the performance gains that mod_authn_socache - would give with something like mod_authn_dbd, but we get pretty close. - - So here's how you do it. First you AuthBasicProvider statement should - list both 'socache' and 'external', and it's important that 'socache' - should be listed first, so that it tries to look up users in the cache - before mod_authnz_external runs the authenticator: - - AuthBasicProvider socache external - - Then you need to tell mod_authnz_external to start forging credentials - for mod_authn_socache: - - AuthExternalProvideCache On - - And you need to tell mod_authn_socache to accept credentials from - mod_authnz_external: - - AuthnCacheProvideFor external - - And that should do it. You should see many fewer runs of the external - authenticator, and perhaps a slight decline in your overall security. - - * PASSING CONTEXT INFORMATION INTO AUTHENTICATORS: - - If you want the authentication to work slightly differently in - different directories, then you can add a directive like: - - AuthExternalContext - - This will simply pass whatever string was given to the - authenticator in an environment variable called CONTEXT. The - authenticator can use that to modify it's behavior. - - * MODIFYING ERROR CODES FOR GROUP CHECKING: - - Normally, if a group authentication fails, then apache will return a - 401 error, which will normally cause the browser to pop up a fresh - login box so the user can try logging in with a different ID. This - may not always be appropriate. If you rejected him because he has a - blocked IP address, returning a 403 error, which displays an error - page (which you can configure) may be a better choice than asking him - to endlessly try new logins and passwords. - - Previous versions of mod_authnz_external had a 'GroupExternalError' - directive that allowed you to change this. This no longer exists - Under Apache 2.4 you can control the return code using the - 'AuthzSendForbiddenOnFailure' directive. - - * USING GROUP CHECKING INDEPENDENT OF USER CHECKING: - - Normally, the group authorization process checks that a user was - successfully authenticated by the user authentication module before - actually running the external group checking program. This may be - undesirable if your goal is to use mod_authz_external on its own as - a group checker, without any user checking. You can use the - following directive in your Apache config to disable the user - authentication check: - - GroupExternalAuthNCheck Off - - - * INTERACTIONS WITH OTHER AUTHENTICATORS: - - Previous versions of mod_authnz_external had 'GroupExternalAuthoritative' - directive. In Apache 2.4, the notion of authoritativeness is - thankfully almost entirely gone, so this directive is too. - - * OLD DIRECTIVES - - Some of the directives mentioned above used to have different names. - One old name still works for backward compatibility. - - AuthExternalGroupsAtOnce equals GroupExternalManyAtOnce - -(4) Install the Authenticator - - Install your external authentication program in the location named - by the pathname on your AddExternalAuth directive. - - Make sure everything is permitted so that whatever account the httpd - runs under can execute the authenticator. Typically this requires - 'execute' access to the script and all the directories above it. If - it is a script, then read access to the script will also be needed. - - If your script is an set-uid script, then make sure the file is owned - by the user it is supposed to run as, and that the suid-bit is set. - -(5) Restart Apache - - Restart Apache, so that all the new configuration commands will be - loaded. If you have the apachectl command do: - - apachectl restart - - For some systems which doesn't have apachectl, you'll want to manually - run the startup script for apache. The locations of these vary somewhat - in different Unix systems, but they typically are something like this: - - /etc/init.d/httpd restart - -(6) Test It - - Test your changes/code by trying to view a protected page. - - If it doesn't work, check the apache error logs. They are loaded - with helpful information. Some common problems and their usual causes: - - - Miscellaneous odd behaviors. - - Did you restart the httpd after the last time you edited the - httpd.conf file or recompiled Apache? Confirm that an - "Apache configured -- resuming normal operations" message appeared - in the error log when you restarted. - - - Apache complains about not recognizing mod_authnz_external commands - in the httpd.conf file like "DefineExternalAuth" and "AddExternalAuth". - - Either the module didn't get installed (if you statically linked - the module, are you running the newly compiled copy of httpd?), - or it isn't enabled (if it is dynamically linked, the AddModule - LoadModule commands described above in step (1) may be missing, - incorrect, or commented out by an inappropriate ). - Sometimes I've found that the httpd.conf file I've been editing is - not actually the one being used by the copy of Apache that is - running. Sometimes I test this by inserting deliberately invalid - commands and checking to see if error messages are generated when - Apache is restarted. We leave the choice of invalid command words - to be used to your imagination. - - - It displays pages in a protected directory without asking for - a login and password. - - For some reason Apache is not seeing the directory configuration - commands that set up authentication for that directory. If you - are using .htaccess files, does your httpd.conf file say - "AllowOverride AuthConfig" for the directory? Apache is usually - distributed with "AllowOverride None" set, which will cause - .htaccess files to be quietly ignored. - - - All logins are rejected, and the error log says it cannot execute the - authentication module. Error messages might look like: - - exec of '/foo/bar/authcheck' failed: (2) No such file or directory - [Thu Nov 15 12:26:43 2007] [error] AuthExtern authcheck - [/foo/bar/authcheck]: Failed (-1) for user foo - [Thu Nov 15 12:26:43 2007] [error] user foo: authentication - failure for /mae/index.html": Password Mismatch - - The first of these three messages is from Apache's process launching - library, and gives the clearest information about what caused the - error. Typically it will be either "No such file", which means that - the pathname you specified for the authenticator in step (2) does - not match the actual location of your external authenticator, or - it will be "permission denied", indicating that either the file - or one of the directories above it is permitted so whatever account - apache is configured to run as does not have execute permission. - If it's a script, it also needs read opinion. - - The second error message is actually generated by mod_auth_external. - It just says authentication failed for the user. Normally it would - give the status code returned by the authenticator in parenthesis, - but if the authenticator could not be executed it will show a - phoney status code of -1 (which some systems display as 255). - - The third error message is from Apache. Don't be mislead by it's - saying "Password Mismatch". When mod_auth_external fails, it - rejects all access attempts. To apache this looks like a - Password Mismatch. - - - Authentications failed and the message in the error log says it - failed with a status code of -2 or 254, for example: - - [Thu Nov 15 12:26:43 2007] [error] AuthExtern authcheck - [/foo/bar/authcheck]: Failed (-2) for user foo - [Thu Nov 15 12:26:43 2007] [error] user foo: authentication - failure for /mae/index.html": Password Mismatch - - A status code of -2 (or 254) indicates that the authenticator - crashed or was killed before it could return a status code. This - could either be because some other process sent it a signal to - terminate it, or it crashed due to some kind internal error in - the code, causing a segmentation fault or some other similar - crash. - - - Error log says "Failed (X) for user foo" with X being some number - other than -1, -2, 255 or 254. - - The authenticator ran, and exited with the given non-zero return - code. You'll have to check the authenticator to see under what - conditions it exits with that return code. diff --git a/mod_authnz_external/INSTALL.HARDCODE b/mod_authnz_external/INSTALL.HARDCODE deleted file mode 100644 index bce9623..0000000 --- a/mod_authnz_external/INSTALL.HARDCODE +++ /dev/null @@ -1,76 +0,0 @@ -If you want to use mod_authnz_external.c with a hardcoded internal function, -then you first have to hardcode an internal function (who wudda thunk?). ------------------------------------------------------------------------------ - -Step 1: - Edit "mod_authnz_external.c" - -Step 2: - Uncomment the _HARDCODE_ #define. - -Step 3: - Uncomment the line: - /* #include "your_function_here.c" */ - Replace "your_function_here.c" with the path/name of your function. - - (Actually, I think it might be better to imbed the function itself - directly in this file instead of including it. Modules work better - if they are implemented in a single source file.) - - Your function should start something like: - - int - function_name (char *user_name,char *user_passwd,char *config_path) - - It should return 0 if the password is correct for the given user, - and other values if it is not, pretty much just like external - authentication programs do. - - You'll want to code this very carefully. A crash will crash not just - your program but the entire httpd. - - ** BIG NOTE TO PROGRAMMERS ** - -DO NOT- use exit() or other such calls that will cause your - function to exit abnormally or dump core. It will take the entire - httpd with it and display a message to your browser saying "no data". - Use "return" instead of exit(). - -Step 4: - Choose a for your function. ie: 'RADIUS' or 'SYBASE' - This will be used for telling mod_authnz_external which hard coded - function you want to call. - -Step 5: - Find the exec_hardcode() function inside mod_authnz_external.c. - Find the big commented section there. Replace the example call - to example() with a call to your function. Also change the name - "EXAMPLE" to the name you chose for your function. - - The function call in exec_hardcode() should look something like: - - if (strcmp(check_type,"")==0) { - code = function_name(c->user,sent_pw,config_file); - } - - Here, we replace "" with the name you chose in step 4. - function_name(), of course, should be whatever you called your function - in step 3. - -Step 6: - Save your work. Also save some whales. - -Step 7: - Compile and configure mod_authnz_external as described in the - INSTALL file. - - The AddExternalAuth command in your httpd.conf file might look - something like - - AddExternalAuth whatever EXAMPLE:/usr/local/data/configfile - - Here 'whatever' is the name you will use to invoke this authenticator - in the AuthExternal commands in your .htaccess files. 'EXAMPLE' - is the name you choose in step 4 and inserted into the "if" statement - in step 5. Any data after the colon will be passed into your function. - It might be a config file path or something else. - diff --git a/mod_authnz_external/Makefile b/mod_authnz_external/Makefile deleted file mode 100644 index ec2ab2d..0000000 --- a/mod_authnz_external/Makefile +++ /dev/null @@ -1,26 +0,0 @@ -# Location of apxs command: -#APXS=apxs2 -APXS=apxs - -TAR= README INSTALL INSTALL.HARDCODE CHANGES CONTRIBUTORS AUTHENTICATORS UPGRADE TODO \ - mod_authnz_external.c test/* Makefile - -.DEFAULT_GOAL:= build -.PHONY: install build clean - -install: mod_authnz_external.la - $(APXS) -i -a mod_authnz_external.la - -build: mod_authnz_external.la - -mod_authnz_external.la: mod_authnz_external.c - $(APXS) -c mod_authnz_external.c - -clean: - rm -rf mod_authnz_external.so mod_authnz_external.o \ - mod_authnz_external.la mod_authnz_external.slo \ - mod_authnz_external.lo .libs - -ls -a .*.swp - -mae.tar: $(TAR) - tar cvf mae.tar $(TAR) diff --git a/mod_authnz_external/Makefile.win b/mod_authnz_external/Makefile.win deleted file mode 100644 index 37f8e55..0000000 --- a/mod_authnz_external/Makefile.win +++ /dev/null @@ -1,28 +0,0 @@ -#NMAKE format makefile for Visual Studio on Windows - -all: build - -build: mod_authnz_external.so - -!IF !DEFINED(VISUALSTUDIOVERSION) -!ERROR Must be run from within the vcvars.bat environment! -!ENDIF - -!IF !DEFINED(APACHEPATH) -!ERROR APACHEPATH environment variable must point to the local installation of Apache httpd! -!ENDIF - -mod_authnz_external.so: mod_authnz_external.obj - @echo Successful compile - linking module - @echo . - @link /dll /libpath:"$(APACHEPATH)\lib" /out:mod_authnz_external.so mod_authnz_external.obj libhttpd.lib libapr-1.lib libaprutil-1.lib - -mod_authnz_external.obj: mod_authnz_external.c - @echo Visual Studio $(VISUALSTUDIOVERSION) is installed - @echo Apache is installed in $(APACHEPATH) - @echo . - @cl -c -D_WINDOWS -I$(APACHEPATH)\include mod_authnz_external.c - -clean: - del mod_authnz_external.so mod_authnz_external.obj mod_authnz_external.exp mod_authnz_external.lib - diff --git a/mod_authnz_external/README b/mod_authnz_external/README deleted file mode 100644 index d699933..0000000 --- a/mod_authnz_external/README +++ /dev/null @@ -1,254 +0,0 @@ - Mod_Authnz_External version 3.3.x - - Original Coder: Nathan Neulinger -Previous Maintainer: Tyler Allison -Previous Maintainer: Jan Wolter http://www.unixpapa.com - Other Contributors: See CONTRIBUTORS - Apache 2.0 Port: Dave Woolaway - Sven Koch - Apache 2.2 Port: Jan Wolter http://www.unixpapa.com - -Caution: --------- - -Mod_Auth_External can be used to quickly construct secure, reliable -authentication systems. It can also be mis-used to quickly open gaping -holes in your security. Read the documentation, and use with extreme -caution. - -Versions: ---------- - -Mod_authnz_external version 3.3.x is designed for use with Apache version -2.4.x. It will not work with Apache 2.2 or 2.0. For older versions of -Apache you will need older branches of mod_authnz_external: - - Apache 1.3 mod_auth_external-2.1.x - Apache 2.0 mod_auth_external-2.2.x - Apache 2.2 mod_authnz_external-3.1.x or mod_authnz_external-3.2.x - Apache 2.4 mod_authnz_external-3.3.x - -This module was developed from "mod_auth_external". It has been restructured -to fit into the authn/authz structure introduce in Apache 2.1. It can be used -in any application where mod_auth_external was previously used. No changes -will be needed to the external authentication programs, but the exact Apache -configuration commands needed will be different. It is possible to use the -old "mod_auth_external-2.2" with Apache-2.2, but mod_authnz_external is -preferable. If you are upgrading from "mod_auth_external" to -"mod_authnz_external" then read the file "UPGRADE" for advice. - -Introduction: -------------- - -Mod_Authnz_External is an Apache module used for authentication. The Apache -HTTP Daemon can be configured to require users to supply logins and passwords -before accessing pages in some directories. Authentication is the process -of checking if the password given is correct for a user. Apache has -standard modules for authenticating out of several different kinds of -databases. Mod_Authnz_External is a flexible tool for creating authentication -systems based on other databases. - -Mod_Authnz_External can be used in either of two somewhat divergent ways: - - External Authentication: - - When a user supplies a login and password, mod_authnz_external runs a - program you write, passing it the login and password. Your program - does whatever checking and logging it needs to, and then returns a - Accept/Reject flag to Apache. - - This is slower than doing the authentication internally because it - has the overhead of launching an external program for each authentication. - However, there are at least two situations where it is very useful: - - - Rapid prototyping. The external authentication program can be - a shell script or perl program. It can be written without knowing - much about building Apache modules. Bugs in it will not endanger - the overall integrity of the Apache server. Later, as performance - becomes more of an issue, you can write a custom Apache module to - do the job more efficiently (perhaps using the HARDCODE option below). - - - Access restrictions. There are situations where you do not want to - make your user database readable to the user-id that Apache runs - under. In these cases the external authentication program can be - an suid program that has access to databases Apache cannot access. - For example, if you want to authentication out of a Unix shadow - password database, and you aren't foolish enough to run Apache - as root, a carefully written suid-root external authentication - program can do the job for you. - - Pwauth, an external authentication program for securely authenticating - out of a Unix shadow password database available from - http://www.unixpapa.com/pwauth/ . - - Hardcoded Authentication: - - Some hooks have been inserted into mod_authnz_external to make it easy - to replace the call to the external authentication program with a - call to a hardcoded internal authentication routine that you write. - - This is sort of a half-way measure to just writing your own Apache - module from scratch, allowing you to use some of the logic from - mod_authnz_external. - - Example functions for authenticating out of a RADIUS server or Sybase - database are included in this distribution. - -Compatibility: --------------- - -The current version of mod_authnz_external is designed for use with Apache 2.2. -It will not work with older versions of Apache. - -Mod_authnz_external has been tested on a wide variety of Unix platforms. In -theory versions after 3.2.0 should work on any non-Unix platforms supported -by Apache, but it has been tested only under Unix. - -Mod_authnz_external is also compatible with authenticators using the -checkpassword interface. See http://cr.yp.to/checkpwd.html for more -information. - -Authn / Authz -------------- - -Users of mod_authnz_external may find it helpful understand a bit more of -it's internal structure. It is actually best thought of as two functionally -separate modules, mod_authn_external and mod_authz_external, which have -combined into a single module simply because they share a lot of code. -In any particular application, you may only be using one of these two -modules, or you may be using both. - -The mod_authn_external part is an authentication provider for the -mod_auth_basic module. Mod_auth_basic handles all the negotiations with -the browser, while all mod_authn_external does is check if a password -submitted by the user is correct (which it does by running an external -program to perform the check). - -The mod_authz_external part does access control. It has no relation -to mod_auth_basic. It comes into play after authentication is complete, -when a "Require group" or "Require file-group" directive is given. It -checks if the authenticated user is in the list of required groups (which -it does by running an external program to perform the check). - -Digest Authentication ---------------------- - -The new authentication structure introduced in Apache 2.1 makes it much -easier for modules like this one to support digest authentication as an -alternative to basic authentication. Mod_Authnz_External, however, does -not yet support digest authentication. - -I hope to support this in the future, but it really isn't a very attractive -alternative and I don't expect many people will want to use it. It will -not be possible to use the same external authentication programs that are -used for basic authentication - they would have to be rewritten. It will -only work if the database being accessed by the external program either has -passwords in plaintext, or has them encrypted in a very specific way. This -means it could not be used for unix password database authentication or with -most other password databases not specifically designed for this application. -And password databases specifically designed for this application might as -well be designed in a format where they could be accessed by mod_authn_file -or mod_authn_dbm. - -Security Considerations: ------------------------- - -By default, mod_authnz_external passes the user's login and password to the -external authentication program by sending them through a pipe. This is -very secure. - -In older versions of mod_auth_external, the login and password were by -default passed in environment variables called USER and PASS. This is -still an option, but we do NOT recommend using option. - -On some versions of Unix (including SunOS and IRIX) any user logged onto -the server can see these values by doing a "ps -e" command. This would -obviously be a problem if there are ever untrusted users on your server. -Other versions of Unix (including Linux) restrict "ps -e" so you can only -see your own processes, but this may still be a problem if untrusted people -can put CGI programs on your server, since those may run as the same user -as your authentication program does. Some versions of Unix don't seem to -have a "ps -e" command at all, but even then it is best to be careful. -Although the default "ps" command on Solaris won't display environment -variables, the backwards compatible "/usr/ucb/ps" command does. Are you -sure there isn't and won't be an old-style ps command installed on your -system? - -Use of this module requires development of an external authentication program -or a hardcoded internal function. These are typically very simple programs, -but there are more ways to screw up your security by doing them badly than -we could possibly list. See the file AUTHENTICATORS for more information -on implementing authenticators. - -Example Authentication Routines in this Distribution: ------------------------------------------------------ - - test/ - Several small dummy external authentication programs written in Perl - (there is also a PHP version of one of them). These are meant only for - testing of mod_authnz_external. They accept any user whose password - and login name are identical. They write lots of debugging info to - the error_log file. - - Author and Maintainer: Jan Wolter http://unixpapa.com/ - Author of PHP Version: Claus Andersen - -Example Authentication Routines Formerly Included in this Distribution: ------------------------------------------------------------------------ -In the interest of cleaning up the distribution, several other examples -that were formerly distributed with this module are now only available -separately. - - pwauth - A C program for authenticating out of unix shadow password files or - PAM. - - Author and Maintainer: Jan Wolter http://unixpapa.com/ - Available from: http://code.google.com/p/pwauth/ - - MYSQL-auth - A Perl program for authenticating out of a MySQL database. This is - written in Perl using the DBI interface, so it could be trivially adapted - to work with any other SQL database server that has a DBI interface - (that is to say all of them). - - Author and Maintainer: Anders Nordby - Available From: http://anders.fix.no/software/#unix - - sybase-internal-auth - An example of a hardcoded internal authentication function for use with - mod_auth_external or mod_authnz_external. It's designed for doing - authentication out of a sybase database, which these days would be better - done using mod_authn_dbd. - - Author: - Available From: http://code.google.com/p/mod-auth-external/downloads - - mae-radius - Another example or a hardcoded internal authentication function. - This does radius authentication. It may not be fully open source. - - Available From: http://unixpapa.com/software/mae_radius.tar.gz - -Checkpassword Authenticators ----------------------------- - -There are various "checkpassword" compatible authenticators available on the -net which can be used with mod_authnz_external. These authenticators are most -commonly used with qmail pop servers but it is sometimes useful to be able -to use the same authentication system for some web pages. I've listed some -of the ones that look useful for mod_authnz_external, but I've tested only -'checkpassword'. - - checkpassword - http://cr.yp.to/checkpwd.html - Dan J. Bernstein - - Authentication from a Unix shadow password file, similar to the - the pwauth program. - - radcheckpassword - http://www.tic.ch/e-image/andrew/software/radcheckpassword/ - Andrew Richards - - Radius authentication. diff --git a/mod_authnz_external/TODO b/mod_authnz_external/TODO deleted file mode 100644 index f0931ea..0000000 --- a/mod_authnz_external/TODO +++ /dev/null @@ -1,18 +0,0 @@ -Jan Wolter: - - - Look into developing a "socket" method, in which we first try open a - socket connecting to the external authenticator, and only launch a new one - if the initial connection attempt fails. This would avoid launching a - new authenticator for each hit. Instead the authenticator would be a - persistent process that can hold open a connection to the database and - even do caching of recent authentications. - - - Improve Windows support. Theoretically version 3.2.0 should work on - windows, but I don't do windows development and can't test it or - document installation procedures. - - - I think the apache data structure r->subprocess_env is a table into which - various modules place environment variable definitions that they want to - have passed into CGI programs, for example, mod_ssl puts HTTPS and a - bunch of other variables here. Should I load all of them into the - environment for the external authenticator? Needs study. diff --git a/mod_authnz_external/UPGRADE b/mod_authnz_external/UPGRADE deleted file mode 100644 index 253ca8c..0000000 --- a/mod_authnz_external/UPGRADE +++ /dev/null @@ -1,115 +0,0 @@ -How to upgrade from mod_auth_external to mod_authnz_external: - -(0) Read the section entitled "Authn / Authz" in the README file. This will - probably make understanding this new version of the module easier. - -(1) Make sure mod_auth_external is no longer being loaded. You cannot load - both mod_auth_external and mod_authnz_external without problems. This - means ensuring that there is no "LoadModule" or "AddModule" line for - mod_auth_external. You could also remove the mod_auth_external.so file - from the Apache 'modules' directory. - -(2) Install mod_authnz_external as described in the INSTALL file. - -(3) The server-level configuration directives in the httpd.conf file are the - same as before. There has been no change to the way "AddExternalAuth", - "AddExternalGroup", "AddExternalAuthMethod", and "AddExternalGroupMethod" - work. - -(4) In the per-directory configurations (either in .htaccess files or in a - block in httpd.conf) need to include a new directive to tell - mod_auth_basic to use mod_authnz_external for authentication. For - mod_auth_external, the per-directory configurations normally looked - something this: - - AuthType Basic - AuthName - AuthExternal - require valid-user - - For mod_authnz_external, you need to add the "AuthBasicProvider" directive. - - AuthType Basic - AuthName - AuthBasicProvider external - AuthExternal - require valid-user - - The directive "AuthType Basic" tells apache that you want to use the - mod_auth_basic module to do "basic authentiation". The directive - "AuthBasicProvider external" tells mod_auth_basic to use - mod_authnz_external to check the correctness of passwords. - - Note that the "AuthBasicProvider" directive is only needed if you are - using mod_authnz_external for password checking. If you are using it - only for group checking, then this is not needed. - -(5) If you were using mod_auth_external in a non-authoritative mode, then - your per-directory configuration probably included the directive: - - AuthExternalAuthoritative off - - This command will no longer work. If upgrading to Apache 2.2, you - should use one or both of the following commands: - - AuthBasicAuthoritative off - GroupExternalAuthoritative off - - The "AuthBasicAuthoritative" directive effects password checking, which - is done through mod_auth_basic. - - The "GroupExternalAuthoritative" effects only group checking. That is - if you had both "GroupExternal" directive setting up an external program - for group checking, and an "AuthGroupFile" directive setting up a group - file, then it would control whether the first module to process a - "Require group admin" directive was the only one to run, or whether each - group checker was given a chance to decide if the user was in that group - based on it's group database. - - In Apache 2.4, all of this is handled quite differently. I need to - document this. - -(6) If you were using multiple Require directives, the behavior may change - under Apache 2.2. Suppose you wanted to allow access to user "pete" and - members of the group "admins". You might have do: - - Require group admin - Require user pete - - Under Apache 2.0, both of these directives would have been checked by - mod_auth_external, and it would have correctly allowed access if either - of the two conditions were satisfied. In Apache 2.2, however, only - "Require group" and "Require file-group" directives are checked by - mod_authnz_external. "Require user" and "Require valid-user" are checked - by mod_authz_user, a standard module that comes with Apache. How the - two directives interact depends on whether they are authoritative or - not. mod_authz_user is Authoritative by default, so to get the old - behavior, you will need to do - - GroupUserAuthoritative off - - Again, in Apache 2.4, all of this is handled quite differently, and this - document needs updating. - -(7) Note that a new type of functionality is available under Apache 2.2 with - mod_authnz_external. Thanks to mod_authz_owner, you can now do: - - Require file-owner - or - Require file-group - - The first checks if the name of the authenticated user matches the - name of the unix account that owns the file. The second checks if, - according to whatever group database has been configured for the - current directory, the currently authenticated user is in a group - with the same name as the Unix group that owns the file. - - Normally these are rather strange directives, because normally unix - accounts have no relationship to accounts in whatever database is - being used for http authentication, but for people using 'pwauth' - with mod_authnz_external, these really check if the user has been - authenticated as the unix user who owns the file. - - In Apache 2.4, this is the same, except the latter of the two becomes: - - Require external-file-group diff --git a/mod_authnz_external/mod_authnz_external.c b/mod_authnz_external/mod_authnz_external.c deleted file mode 100644 index e736489..0000000 --- a/mod_authnz_external/mod_authnz_external.c +++ /dev/null @@ -1,955 +0,0 @@ -/* ==================================================================== - * Copyright (c) 1995 The Apache Group. All rights reserved. - * Copyright (c) Nathan Neulinger, Tyler Allison, Jan Wolter and - * other contributors. Please see CONTRIBUTORS. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the Apache Group - * for use in the Apache HTTP server project (http://www.apache.org/)." - * - * 4. The names "Apache Server" and "Apache Group" must not be used to - * endorse or promote products derived from this software without - * prior written permission. - * - * 5. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the Apache Group - * for use in the Apache HTTP server project (http://www.apache.org/)." - * - * THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR - * IT'S CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This software consists of voluntary contributions made by many - * individuals on behalf of the Apache Group and was originally based - * on public domain software written at the National Center for - * Supercomputing Applications, University of Illinois, Urbana-Champaign. - * For more information on the Apache Group and the Apache HTTP server - * project, please see . - * - */ - - -/* Uncomment if you want to use a HARDCODE'd check (default off) */ -/* #define _HARDCODE_ */ - -#ifdef _HARDCODE_ - /* Uncomment if you want to use your own Hardcode (default off) */ - /* MUST HAVE _HARDCODE_ defined above! */ - /* #include "your_function_here.c" */ -#endif - - -#include "apr_lib.h" - -#include "ap_config.h" -#include "ap_provider.h" -#include "mod_auth.h" -#include "apr_signal.h" - -#define APR_WANT_STRFUNC -#include "apr_want.h" -#include "apr_strings.h" -#include "apr_sha1.h" - -#include "httpd.h" -#include "http_config.h" -#include "http_core.h" -#include "http_log.h" -#include "http_protocol.h" -#include "http_request.h" /* for ap_hook_(check_user_id | auth_checker)*/ -#if APR_HAVE_UNISTD_H -#include -#endif - -#ifndef STANDARD20_MODULE_STUFF -#error This module requires Apache 2.2.0 or later. -#endif - -/* Names of environment variables used to pass data to authenticator */ -#define ENV_USER "USER" -#define ENV_PASS "PASS" -#define ENV_GROUP "GROUP" -#define ENV_URI "URI" -#define ENV_IP "IP" -#define ENV_HOST "HOST" /* Remote Host */ -#define ENV_HTTP_HOST "HTTP_HOST" /* Local Host */ -#define ENV_CONTEXT "CONTEXT" /* Arbitrary Data from Config */ -#define ENV_METHOD "METHOD" /* Request method (eg. GET, HEAD, POST, OPTIONS, etc.) */ -/* Undefine this if you do not want cookies passed to the script */ -#define ENV_COOKIE "COOKIE" - -/* Maximum number of arguments passed to an authenticator */ -#define MAX_ARG 32 - -/* Default authentication method - "pipe", "environment" or "checkpass" */ -#define DEFAULT_METHOD "pipe" - -/* - * Structure for the module itself. The actual definition of this structure - * is at the end of the file. - */ -module AP_MODULE_DECLARE_DATA authnz_external_module; - -/* - * Data types for per-directory and per-server configuration - */ - -typedef struct -{ - apr_array_header_t *auth_name; /* Auth keyword for current dir */ - char *group_name; /* Group keyword for current dir */ - char *context; /* Context string from AuthExternalContext */ - int groupsatonce; /* Check all groups in one call? */ - int providecache; /* Provide auth data to mod_authn_socache? */ - int authncheck; /* Check for previous authentication? */ - -} authnz_external_dir_config_rec; - - -typedef struct -{ - apr_table_t *auth_path; /* Hash mapping auth keywords to paths */ - apr_table_t *auth_method; /* Hash mapping auth keywords to methods */ - - apr_table_t *group_path; /* Hash mapping group keywords to paths */ - apr_table_t *group_method; /* Hash mapping group keywords to methods */ - -} authnz_external_svr_config_rec; - - -/* mod_authz_owner's function for retrieving the requested file's group */ -APR_DECLARE_OPTIONAL_FN(char*, authz_owner_get_file_group, (request_rec *r)); -APR_OPTIONAL_FN_TYPE(authz_owner_get_file_group) *authz_owner_get_file_group; - -/* mod_authn_socache's function for adding credentials to its cache */ -static APR_OPTIONAL_FN_TYPE(ap_authn_cache_store) *authn_cache_store = NULL; - - -/* Creators for per-dir and server configurations. These are called - * via the hooks in the module declaration to allocate and initialize - * the per-directory and per-server configuration data structures declared - * above. */ - -static void *create_authnz_external_dir_config(apr_pool_t *p, char *d) -{ - authnz_external_dir_config_rec *dir = (authnz_external_dir_config_rec *) - apr_palloc(p, sizeof(authnz_external_dir_config_rec)); - - dir->auth_name = apr_array_make(p, 2, sizeof(const char *)); /* no default */ - dir->group_name = NULL; /* no default */ - dir->context = NULL; /* no default */ - dir->groupsatonce = 1; /* default to on */ - dir->providecache = 0; /* default to off */ - dir->authncheck = 1; /* default to on */ - return dir; -} - -static void *create_authnz_external_svr_config(apr_pool_t *p, server_rec *s) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - apr_palloc(p, sizeof(authnz_external_svr_config_rec)); - - svr->auth_method = apr_table_make(p, 4); - svr->auth_path = apr_table_make(p, 4); - svr->group_method = apr_table_make(p, 4); - svr->group_path = apr_table_make(p, 4); - /* Note: 4 is only initial hash size - they can grow bigger) */ - - return (void *)svr; -} - -/* Handler for a DefineExternalAuth server config line */ -static const char *def_extauth(cmd_parms *cmd, void *dummy, const char *keyword, - const char *method, const char *path) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(cmd->server->module_config, - &authnz_external_module); - - apr_table_set(svr->auth_path, keyword, path); - apr_table_set(svr->auth_method, keyword, method); - - return NULL; -} - - -/* Handler for a DefineExternalGroup server config line */ -static const char *def_extgroup(cmd_parms *cmd, void *dummy, - const char *keyword, const char *method, const char *path) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(cmd->server->module_config, - &authnz_external_module); - - apr_table_set(svr->group_path, keyword, path); - apr_table_set(svr->group_method, keyword, method); - - return NULL; -} - - - -/* Handler for a AddExternalAuth server config line - add a external auth - * type to the server configuration */ -static const char *add_extauth(cmd_parms *cmd, void *dummy, const char *keyword, - const char *path) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(cmd->server->module_config, - &authnz_external_module); - - apr_table_set(svr->auth_path, keyword, path); - apr_table_set(svr->auth_method, keyword, DEFAULT_METHOD); - - return NULL; -} - - -/* Handler for a AddExternalGroup server config line - add a external group - * type to the server configuration */ -static const char *add_extgroup(cmd_parms *cmd, void *dummy, - const char *keyword, const char *path) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(cmd->server->module_config, - &authnz_external_module); - - apr_table_set(svr->group_path, keyword, path); - apr_table_set(svr->group_method, keyword, DEFAULT_METHOD); - - return NULL; -} - -/* Handler for a SetExternalAuthMethod server config line - change an external - * auth method in the server configuration */ -static const char *set_authnz_external_method(cmd_parms *cmd, void *dummy, - const char *keyword, const char *method) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(cmd->server->module_config, - &authnz_external_module); - - apr_table_set(svr->auth_method, keyword, method); - - return NULL; -} - - -/* Handler for a SetExternalGroupMethod server config line - change an external - * group method in the server configuration */ -static const char *set_extgroup_method(cmd_parms *cmd, void *dummy, - const char *keyword, const char *method) -{ - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(cmd->server->module_config, - &authnz_external_module); - - apr_table_set(svr->group_method, keyword, method); - - return NULL; -} - -/* Handler for an AuthExternal directive: - * appends an argument to an array defined by the offset */ -static const char *append_array_slot(cmd_parms *cmd, void *struct_ptr, - const char *arg) -{ - int offset = (int)(size_t)cmd->info; - apr_array_header_t *array = - *(apr_array_header_t **)((char *)struct_ptr + offset); - - *(const char **)apr_array_push(array) = apr_pstrdup(array->pool, arg); - - return NULL; -} - - -/* Config file directives for this module */ -static const command_rec authnz_external_cmds[] = -{ - AP_INIT_ITERATE("AuthExternal", - append_array_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec,auth_name), - OR_AUTHCFG, - "one (or more) keywords indicating which authenticators to use"), - - AP_INIT_TAKE3("DefineExternalAuth", - def_extauth, - NULL, - RSRC_CONF, - "a keyword followed by auth method and path to authenticator"), - - AP_INIT_TAKE2("AddExternalAuth", - add_extauth, - NULL, - RSRC_CONF, - "a keyword followed by a path to the authenticator program"), - - AP_INIT_TAKE2("SetExternalAuthMethod", - set_authnz_external_method, - NULL, - RSRC_CONF, - "a keyword followed by the method by which the data is passed"), - - AP_INIT_TAKE1("GroupExternal", - ap_set_string_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, group_name), - OR_AUTHCFG, - "a keyword indicating which group checker to use"), - - AP_INIT_TAKE3("DefineExternalGroup", - def_extgroup, - NULL, - RSRC_CONF, - "a keyword followed by auth method type and path to group checker"), - - AP_INIT_TAKE2("AddExternalGroup", - add_extgroup, - NULL, - RSRC_CONF, - "a keyword followed by a path to the group check program"), - - AP_INIT_TAKE2("SetExternalGroupMethod", - set_extgroup_method, - NULL, - RSRC_CONF, - "a keyword followed by the method by which the data is passed"), - - AP_INIT_TAKE1("AuthExternalContext", - ap_set_string_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, context), - OR_AUTHCFG, - "An arbitrary context string to pass to the authenticator in the " - ENV_CONTEXT " environment variable"), - - AP_INIT_FLAG("AuthExternalProvideCache", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, providecache), - OR_AUTHCFG, - "Should we forge authentication credentials for mod_authn_socache?"), - - AP_INIT_FLAG("GroupExternalManyAtOnce", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, groupsatonce), - OR_AUTHCFG, - "Set to 'off' if group authenticator cannot handle multiple group " - "names in one invocation"), - - AP_INIT_FLAG("AuthExternalGroupsAtOnce", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, groupsatonce), - OR_AUTHCFG, - "Old version of 'GroupExternalManyAtOnce'"), - - AP_INIT_FLAG("GroupExternalAuthNCheck", - ap_set_flag_slot, - (void *)APR_OFFSETOF(authnz_external_dir_config_rec, authncheck), - OR_AUTHCFG, - "Set to 'off' if group authenticator should skip checking whether " - "user is validly authenticated"), - - { NULL } -}; - -/* array handling helper functions */ - -/* Appends a C string to the end of the APR array */ -static void apr_array_push_wrapper(apr_array_header_t *arr, const char *element) { - *(const char**)apr_array_push(arr) = element; -} - - -/* Called from apr_proc_create() if there are errors during launch of child - * process. Mostly just lifted from mod_cgi. */ -static void extchilderr(apr_pool_t *p, apr_status_t err, const char *desc) -{ - apr_file_t *stderr_log; - char errbuf[200]; - apr_file_open_stderr(&stderr_log, p); - apr_file_printf(stderr_log, "%s: (%d) %s\n", ap_escape_logitem(p, desc), - err, apr_strerror(err, errbuf, sizeof(errbuf))); -} - -/* Called from exec_external(). Retrieves any AUTHORIZE_ headers set by - * other modules. */ -int extgetauthheaders(void *destarray, const char *key, const char *value) { - if (strstr(key, "AUTHORIZE")) { - apr_array_header_t *child_env = (apr_array_header_t *)destarray; - apr_array_push_wrapper(child_env, apr_pstrcat(child_env->pool, key, "=", value, NULL)); - } - return 1; //continue -} - - -/* Run an external authentication program using the given method for passing - * in the data. The login name is always passed in. Dataname is "GROUP" or - * "PASS" and data is the group list or password being checked. To launch - * a detached daemon, run this with extmethod=NULL. - * - * If the authenticator was run, we return the numeric code from the - * authenticator, normally 0 if the login was valid, some small positive - * number if not. If we were not able to run the authenticator, we log - * an error message and return a numeric error code: - * - * -1 Could not execute authenticator, usually a path or permission problem - * -2 The external authenticator crashed or was killed. - * -3 Could not create process attribute structure - * -4 apr_proc_wait() did not return a status code. Should never happen. - * -5 apr_proc_wait() returned before child finished. Should never happen. - */ -static int exec_external(const char *extpath, const char *extmethod, - const request_rec *r, const char *dataname, const char *data) -{ - conn_rec *c = r->connection; - apr_pool_t *p = r->pool; - int isdaemon, usecheck = 0, usepipeout = 0, usepipein = 0; - apr_procattr_t *procattr; - apr_proc_t proc; - apr_status_t rc = APR_SUCCESS; - apr_array_header_t *child_env = apr_array_make(p, 16, sizeof(char *)); - char *child_arg[MAX_ARG + 2]; - const char *t; - int i, status = -4; - apr_exit_why_e why = APR_PROC_EXIT; -#ifndef _WINDOWS - apr_sigfunc_t *sigchld; -#endif - - /* Set various flags based on the execution method */ - - isdaemon = (extmethod == NULL); - if (!isdaemon) - { - usecheck = extmethod && !strcasecmp(extmethod, "checkpassword"); - usepipeout = usecheck || (extmethod && !strcasecmp(extmethod, "pipes")); - usepipein = usepipeout || (extmethod && !strcasecmp(extmethod, "pipe")); - } - - /* Create the environment for the child. Daemons don't get these, they - * just inherit apache's environment variables. - */ - - if (!isdaemon) - { - const char *cookie, *host, *remote_host; - authnz_external_dir_config_rec *dir = (authnz_external_dir_config_rec *) - ap_get_module_config(r->per_dir_config, &authnz_external_module); - i = 0; - - if (!usepipein) - { - /* Put user name and password/group into environment */ - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_USER"=", r->user, NULL)); - apr_array_push_wrapper(child_env, apr_pstrcat(p, dataname, "=", data, NULL)); - } - - apr_array_push_wrapper(child_env, apr_pstrcat(p, "PATH=", getenv("PATH"), NULL)); - - apr_array_push_wrapper(child_env, apr_pstrcat(p, "AUTHTYPE=", dataname, NULL)); - - remote_host = ap_get_remote_host(c, r->per_dir_config, REMOTE_HOST, NULL); - if (remote_host != NULL) - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_HOST"=", remote_host, NULL)); - - if (r->useragent_ip) - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_IP"=", r->useragent_ip, NULL)); - - if (r->uri) - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_URI"=", r->uri, NULL)); - - if (r->method) - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_METHOD"=", r->method, NULL)); - - if ((host = apr_table_get(r->headers_in, "Host")) != NULL) - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_HTTP_HOST"=", host, NULL)); - - if (dir->context) - apr_array_push_wrapper(child_env, apr_pstrcat(r->pool, ENV_CONTEXT"=", dir->context, NULL)); - -#ifdef ENV_COOKIE - if ((cookie = apr_table_get(r->headers_in, "Cookie")) != NULL) - apr_array_push_wrapper(child_env, apr_pstrcat(p, ENV_COOKIE"=", cookie, NULL)); -#endif - -#ifdef _WINDOWS - apr_array_push_wrapper(child_env, apr_pstrcat(r->pool, "SystemRoot=", getenv("SystemRoot"), NULL)); -#endif - - /* Retrieve any AUTHORIZE_ headers set by other modules */ - apr_table_do(extgetauthheaders, (void *)child_env, r->subprocess_env, NULL); - - /* End of environment */ - apr_array_push_wrapper(child_env, NULL); - } - - /* Construct argument array */ - for (t = extpath, i = 0; - *t != '\0' && (i <= MAX_ARG + 1); - child_arg[i++] = ap_getword_white(p, &t)) - { - } - child_arg[i] = NULL; - - /* Create the process attribute structure describing the script we - * want to run using the Thread/Process functions from the Apache - * portable runtime library. */ - - if (((rc = apr_procattr_create(&procattr, p)) != APR_SUCCESS) || - - /* should we create pipes to stdin, stdout and stderr? */ - ((rc = apr_procattr_io_set(procattr, - (usepipein && !usecheck) ? APR_FULL_BLOCK : APR_NO_PIPE, - usepipeout ? APR_FULL_BLOCK : APR_NO_PIPE, - (usepipein && usecheck) ? APR_FULL_BLOCK : APR_NO_PIPE)) - != APR_SUCCESS) || - - /* will give full path of program and make a new environment */ - ((rc = apr_procattr_cmdtype_set(procattr, - isdaemon ? APR_PROGRAM_ENV : APR_PROGRAM)) != APR_SUCCESS) || - - /* detach the child only if it is a daemon */ - ((rc = apr_procattr_detach_set(procattr, isdaemon)) != APR_SUCCESS) || - - /* function to call if child has error after fork, before exec */ - ((rc = apr_procattr_child_errfn_set(procattr, extchilderr)) - != APR_SUCCESS)) - { - /* Failed. Probably never happens. */ - ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, - "could not set child process attributes"); - return -3; - } - - /* Sometimes other modules wil mess up sigchild. Need to fix it for - * the wait call to work correctly. (However, there's no need to fix - * the handler on Windows, since there are no signals on Windows.) */ -#ifndef _WINDOWS - sigchld = apr_signal(SIGCHLD, SIG_DFL); -#endif - - /* Start the child process */ - rc = apr_proc_create(&proc, child_arg[0], - (const char * const *)child_arg, - (const char * const *)child_env->elts, procattr, p); - if (rc != APR_SUCCESS) - { - ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, - "Could not run external authenticator: %d: %s", rc, - child_arg[0]); - return -1; - } - - if (isdaemon) return 0; - - apr_pool_note_subprocess(p, &proc, APR_KILL_AFTER_TIMEOUT); - - if (usepipein) - { - /* Select appropriate pipe to write to */ - apr_file_t *pipe = (usecheck ? proc.err : proc.in); - - /* Send the user */ - apr_file_write_full(pipe, r->user, strlen(r->user), NULL); - apr_file_putc(usecheck ? '\0' : '\n', pipe); - - /* Send the password */ - apr_file_write_full(pipe, data, strlen(data), NULL); - apr_file_putc(usecheck ? '\0' : '\n', pipe); - - /* Send dummy timestamp for checkpassword */ - if (usecheck) apr_file_write_full(pipe, "0", 2, NULL); - - /* Close the file */ - apr_file_close(pipe); - } - - /* Wait for the child process to terminate, and get status */ - rc = apr_proc_wait(&proc, &status, &why, APR_WAIT); - - /* Restore sigchild to whatever it was before we reset it */ -#ifndef _WINDOWS - apr_signal(SIGCHLD, sigchld); -#endif - - if (!APR_STATUS_IS_CHILD_DONE(rc)) - { - ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, - "Could not get status from child process"); - return -5; - } - if (!APR_PROC_CHECK_EXIT(why)) - { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "External authenticator died on signal %d", status); - return -2; - } - - return status; -} - - -/* Call the hardcoded function specified by the external path. Of course, - * you'll have to write the hardcoded functions yourself and insert them - * into this source file, as well as inserting a call to them into this - * routine. - */ -static int exec_hardcode(const request_rec *r, const char *extpath, - const char *password) -{ -#ifdef _HARDCODE_ - char *check_type; /* Pointer to HARDCODE type check */ - char *config_file; /* Pointer to HARDCODE config file */ - int standard_auth = 0; - - /* Parse a copy of extpath into type and filename */ - check_type = apr_pstrdup(r->pool, extpath); - config_file = strchr(check_type, ':'); - if (config_file != NULL) - { - *config_file = '\0'; /* Mark end of type */ - config_file++; /* Start of filename */ - } - - /* This is where you make your function call. Here is an example of - * what one looks like: - * - * if (strcmp(check_type,"RADIUS")==0) - * code= radcheck(r->user,password,config_file); - * - * Replace 'radcheck' with whatever the name of your function is. - * Replace 'RADIUS' with whatever you are using as the in: - * AddExternalAuth : - */ - - if (strcmp(check_type, "EXAMPLE") == 0) /* change this! */ - code = example(r->user, password, config_file); /* change this! */ - else - code = -5; - return code; -#else - return -4; /* If _HARDCODE_ is not defined, always fail */ -#endif /* _HARDCODE_ */ -} - - -/* Handle a group check triggered by a 'Require external-group foo bar baz' - * directive. */ -static authz_status externalgroup_check_authorization(request_rec *r, - const char *require_args, const void *parsed_require_args) -{ - authnz_external_dir_config_rec *dir = (authnz_external_dir_config_rec *) - ap_get_module_config(r->per_dir_config, &authnz_external_module); - - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(r->server->module_config, &authnz_external_module); - - char *user = r->user; - char *extname = dir->group_name; - const char *extpath, *extmethod; - const char *t, *w; - int code = 0; - - if (dir->authncheck) { - /* If no authenticated user, pass */ - if (!user) return AUTHZ_DENIED_NO_USER; - } - else { - /* Prevent crash due to missing user */ - if (!user) r->user = ""; - } - - /* If no external authenticator has been configured, pass */ - if (!extname) return AUTHZ_DENIED; - - /* Get the path and method associated with that external */ - if (!(extpath = apr_table_get(svr->group_path, extname)) || - !(extmethod = apr_table_get(svr->group_method, extname))) - { - errno = 0; - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "invalid GroupExternal keyword (%s)", extname); - return AUTHZ_DENIED; - } - - if (dir->groupsatonce) - { - /* Pass rest of require line to authenticator */ - code = exec_external(extpath, extmethod, r, ENV_GROUP, require_args); - if (code == 0) return AUTHZ_GRANTED; - } - else - { - /* Call authenticator once for each group name on line */ - t = require_args; - while ((w = ap_getword_conf(r->pool, &t)) && w[0]) - { - code = exec_external(extpath, extmethod, r, ENV_GROUP, w); - if (code == 0) return AUTHZ_GRANTED; - } - } - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed. " - "User not in Required group. Last result code: %i", - r->user, r->uri, code); - - return AUTHZ_DENIED; -} - - -/* Handle a group check triggered by a 'Require external-file-group' - * directive. */ -static authz_status externalfilegroup_check_authorization(request_rec *r, - const char *require_args, const void *parsed_require_args) -{ - authnz_external_dir_config_rec *dir = (authnz_external_dir_config_rec *) - ap_get_module_config(r->per_dir_config, &authnz_external_module); - - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(r->server->module_config, &authnz_external_module); - - char *user = r->user; - char *extname = dir->group_name; - const char *extpath, *extmethod; - const char *filegroup = NULL; - int code; - - if (dir->authncheck) { - /* If no authenticated user, pass */ - if (!user) return AUTHZ_DENIED_NO_USER; - } - else { - /* Prevent crash due to missing user */ - if (!user) r->user = ""; - } - - /* If no external authenticator has been configured, pass */ - if (!extname) return AUTHZ_DENIED; - - /* Get the path and method associated with that external */ - if (!(extpath = apr_table_get(svr->group_path, extname)) || - !(extmethod = apr_table_get(svr->group_method, extname))) - { - errno = 0; - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "invalid GroupExternal keyword (%s)", extname); - return AUTHZ_DENIED; - } - - /* Get group name for requested file from mod_authz_owner */ - filegroup = authz_owner_get_file_group(r); - - if (!filegroup) - /* No errog log entry, because mod_authz_owner already made one */ - return AUTHZ_DENIED; - - /* Pass the group to the external authenticator */ - code = exec_external(extpath, extmethod, r, ENV_GROUP, filegroup); - if (code == 0) return AUTHZ_GRANTED; - - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Authorization of user %s to access %s failed. " - "User not in Required file group (%s).", - r->user, r->uri, filegroup); - - return AUTHZ_DENIED; -} - - -/* Mod_authn_socache wants us to pass it the username and the encrypted - * password from the user database to cache. But we have no access to the - * actual user database - only the external authenticator can see that - - * and chances are, the passwords there aren't encrypted in any way that - * mod_authn_socache would understand anyway. So instead, after successful - * authentications only, we take the user's plain text password, encrypt - * that using an algorithm mod_authn_socache will understand, and cache that - * as if we'd actually gotten it from a password database. - */ -void mock_turtle_cache(request_rec *r, const char *plainpw) -{ - char cryptpw[120]; - - /* Authn_cache_store will be null if mod_authn_socache does not exist. - * If it does exist, but is not set up to cache us, then - * authn_cache_store() will do nothing, which is why we turn this off - * with "AuthExternalProvideCache Off" to avoid doing the encryption - * for no reason. */ - if (authn_cache_store != NULL) - { - apr_sha1_base64(plainpw, strlen(plainpw), cryptpw); - authn_cache_store(r, "external", r->user, NULL, cryptpw); - } -} - - -/* Password checker for basic authentication - given a login/password, - * check if it is valid. Returns one of AUTH_DENIED, AUTH_GRANTED, - * or AUTH_GENERAL_ERROR. */ - -static authn_status authn_external_check_password(request_rec *r, - const char *user, const char *password) -{ - const char *extname, *extpath, *extmethod; - int i; - authnz_external_dir_config_rec *dir = (authnz_external_dir_config_rec *) - ap_get_module_config(r->per_dir_config, &authnz_external_module); - - authnz_external_svr_config_rec *svr = (authnz_external_svr_config_rec *) - ap_get_module_config(r->server->module_config, - &authnz_external_module); - int code = 1; - - /* Check if we are supposed to handle this authentication */ - if (dir->auth_name->nelts == 0) - { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "No AuthExternal name has been set"); - return AUTH_GENERAL_ERROR; - } - - for (i = 0; i < dir->auth_name->nelts; i++) - { - extname = ((const char **)dir->auth_name->elts)[i]; - - /* Get the path associated with that external */ - if (!(extpath = apr_table_get(svr->auth_path, extname))) - { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Invalid AuthExternal keyword (%s)", extname); - return AUTH_GENERAL_ERROR; - } - - /* Do the authentication, by the requested method */ - extmethod = apr_table_get(svr->auth_method, extname); - if (extmethod && !strcasecmp(extmethod, "function")) - code = exec_hardcode(r, extpath, password); - else - code = exec_external(extpath, extmethod, r, ENV_PASS, password); - - /* If return code was zero, authentication succeeded */ - if (code == 0) - { - if (dir->providecache) mock_turtle_cache(r, password); - return AUTH_GRANTED; - } - - /* Log a failed authentication */ - errno = 0; - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "AuthExtern %s [%s]: Failed (%d) for user %s", - extname, extpath, code, r->user); - } - /* If no authenticators succeed, refuse authentication */ - return AUTH_DENIED; -} - - -#if 0 -/* Password checker for digest authentication - given a login/password, - * check if it is valid. Returns one of AUTH_USER_FOUND, AUTH_USER_NOT_FOUND, - * or AUTH_GENERAL_ERROR. Not implemented at this time and probably not ever. - */ - -auth_status *authn_external_get_realm_hash(request_rec *r, const char *user, - const char *realm, char **rethash); -{ -} -#endif - -/* This is called after all modules have been initialized to acquire pointers - * to some functions from other modules that we would like to use if they are - * available. */ -static void opt_retr(void) -{ - /* Get authn_cache_store from mod_authn_socache */ - authn_cache_store = - APR_RETRIEVE_OPTIONAL_FN(ap_authn_cache_store); - - /* Get authz_owner_get_file_group from mod_authz_owner */ - authz_owner_get_file_group = - APR_RETRIEVE_OPTIONAL_FN(authz_owner_get_file_group); -} - -/* This tells mod_auth_basic and mod_auth_digest what to call for - * authentication. */ -static const authn_provider authn_external_provider = -{ - &authn_external_check_password, -#if 0 - & authn_external_get_realm_hash -#else - NULL /* No support for digest authentication */ -#endif -}; - -/* This tells mod_auth_basic and mod_auth_digest what to call for - * access control with 'Require external-group' directives. */ -static const authz_provider authz_externalgroup_provider = -{ - &externalgroup_check_authorization, - NULL, -}; - -/* This tells mod_auth_basic and mod_auth_digest what to call for - * access control with 'Require external-file-group' directives. */ -static const authz_provider authz_externalfilegroup_provider = -{ - &externalfilegroup_check_authorization, - NULL, -}; - -/* Register this module with Apache */ -static void register_hooks(apr_pool_t *p) -{ - /* Register authn provider */ - ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "external", - AUTHN_PROVIDER_VERSION, - &authn_external_provider, AP_AUTH_INTERNAL_PER_CONF); - - /* Register authz providers */ - ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "external-group", - AUTHZ_PROVIDER_VERSION, - &authz_externalgroup_provider, AP_AUTH_INTERNAL_PER_CONF); - - ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "external-file-group", - AUTHZ_PROVIDER_VERSION, - &authz_externalfilegroup_provider, AP_AUTH_INTERNAL_PER_CONF); - - /* Ask for opt_retr() to be called after all modules have registered */ - ap_hook_optional_fn_retrieve(opt_retr, NULL, NULL, APR_HOOK_MIDDLE); -} - - -AP_DECLARE_MODULE(authnz_external) = { - STANDARD20_MODULE_STUFF, - create_authnz_external_dir_config, /* create per-dir config */ - NULL, /* merge per-dir config - dflt is override */ - create_authnz_external_svr_config, /* create per-server config */ - NULL, /* merge per-server config */ - authnz_external_cmds, /* command apr_table_t */ - register_hooks /* register hooks */ -}; diff --git a/mod_authnz_external/test/README b/mod_authnz_external/test/README deleted file mode 100644 index c2eea9e..0000000 --- a/mod_authnz_external/test/README +++ /dev/null @@ -1,33 +0,0 @@ -These are dummy external authenticator programs used for testing -mod_auth_external or mod_authnz_external. - -They are mostly Perl scripts, and one PHP script. Before using them, make -sure that the directives on the first lines of each file: - #!/usr/bin/perl - #!/usr/bin/php -give the correct pathname for the Perl and/or PHP interpretors on your system. - -The files are: - - test.pipe Dummy user authentication program using pipe method - test.env Dummy user authentication program using environment method - testgroup.pipe Dummy group check program using pipe method - testgroup.env Dummy group check program using environment method - - test.pipe.php PHP version of test.pipe - -The user authentication programs will accept a login if the user name -matches the password, and will reject all others. - -The group check programs will accept a login if the user name matches the -group name, and will reject all others. - -All programs print lots of stuff to stderr. All this output should get -logged in Apache's "error_log" file, so do a "tail -f" on that file to -see what happens when you try an authentication. - -(Obviously you wouldn't want to log plain-text passwords in a real -authentication program). - -Author & Maintainer for Perl Versions: Jan Wolter http://www.unixpapa.com -Author of PHP Version: Claus Andersen diff --git a/mod_authnz_external/test/test.env b/mod_authnz_external/test/test.env deleted file mode 100755 index 3ce313d..0000000 --- a/mod_authnz_external/test/test.env +++ /dev/null @@ -1,38 +0,0 @@ -#!/usr/bin/perl - -# Test authenticator using environment method. Logins will be accepted if -# the login and the password are identical, and will be rejected otherwise. -# -# Generally the environment method is not recommended. Use the pipe method -# instead. -# -# This authenticator does copious logging by writing all sorts of stuff to -# STDERR. A production authenticator would not normally do this, and it -# *especially* would not write the plain text password out to the log file. - -# Get the name of this program -$prog= join ' ',$0,@ARGV; - -# Get the user name -$user= $ENV{USER}; - -# Get the password name -$pass= $ENV{PASS}; - -# Dump the environment to the error_log file -foreach $env (keys(%ENV)) -{ - print STDERR "$prog: $env=$ENV{$env}\n"; -} - -# Accept the login if the user name matchs the password -if ($user eq $pass) -{ - print STDERR "$prog: login matches password - Accepted\n"; - exit 0; -} -else -{ - print STDERR "$prog: login doesn't match password - Rejected\n"; - exit 1; -} diff --git a/mod_authnz_external/test/test.pipe b/mod_authnz_external/test/test.pipe deleted file mode 100755 index 838a4c0..0000000 --- a/mod_authnz_external/test/test.pipe +++ /dev/null @@ -1,40 +0,0 @@ -#!/usr/bin/perl - -# Test authenticator using pipe method. Logins will be accepted if the -# login and the password are identical, and will be rejected otherwise. -# -# This authenticator does copious logging by writing all sorts of stuff to -# STDERR. A production authenticator would not normally do this, and it -# *especially* would not write the plain text password out to the log file. - -# Get the name of this program -$prog= join ' ',$0,@ARGV; - -# Get the user name -$user= ; -chomp $user; - -# Get the password name -$pass= ; -chomp $pass; - -# Print them to the error_log file -print STDERR "$prog: user='$user' pass='$pass'\n"; - -# Dump the environment to the error_log file -foreach $env (keys(%ENV)) -{ - print STDERR "$prog: $env=$ENV{$env}\n"; -} - -# Accept the login if the user name matchs the password -if ($user eq $pass) -{ - print STDERR "$prog: login matches password - Accepted\n"; - exit 0; -} -else -{ - print STDERR "$prog: login doesn't match password - Rejected\n"; - exit 1; -} diff --git a/mod_authnz_external/test/test.pipe.php b/mod_authnz_external/test/test.pipe.php deleted file mode 100755 index 34ad748..0000000 --- a/mod_authnz_external/test/test.pipe.php +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/php - $v) -{ - fwrite(STDERR, $prog . ': ' . $k . '=' . $v . "\n"); -} - -// Accept the login if the user name matchs the password -if ($user == $pass) -{ - fwrite(STDERR, $prog . ": login matches password - Accepted\n"); - exit(0); -} -else -{ - fwrite(STDERR, $prog . ": login doesn't match password - Rejected\n"); - exit(1); -} - -?> diff --git a/mod_authnz_external/test/testgroup.env b/mod_authnz_external/test/testgroup.env deleted file mode 100755 index e767ff6..0000000 --- a/mod_authnz_external/test/testgroup.env +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/perl - -# Test group checker using environment method. Access will be granted if -# the login and the group name are identical, and will be rejected otherwise. -# -# This authenticator does copious logging by writing all sorts of stuff to -# STDERR. A production authenticator would not normally do this. - -# Get the name of this program -$prog= join ' ',$0,@ARGV; - -# Get the user name -$user= $ENV{USER}; - -# Get the group names -$groups= $ENV{GROUP}; - -# Dump the environment to the error_log file -foreach $env (keys(%ENV)) -{ - print STDERR "$prog: $env=$ENV{$env}\n"; -} - -# Loop through groups -foreach $group (split ' ', $groups) -{ - # Accept the login if the user name matchs the group name - if ($user eq $group) - { - print STDERR "$prog: login name matches group name - Accepted\n"; - exit 0; - } -} - -print STDERR "$prog: login name doesn't match any group name - Rejected\n"; -exit 1; diff --git a/mod_authnz_external/test/testgroup.pipe b/mod_authnz_external/test/testgroup.pipe deleted file mode 100755 index 301391c..0000000 --- a/mod_authnz_external/test/testgroup.pipe +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/perl - -# Test group checker using pipe method. Logins will be accepted if the -# login and the group name are identical, and will be rejected otherwise. -# -# This authenticator does copious logging by writing all sorts of stuff to -# STDERR. A production authenticator would not normally do this, and it -# *especially* would not write the plain text password out to the log file. - -# Get the name of this program -$prog= join ' ',$0,@ARGV; - -# Get the user name -$user= ; -chomp $user; - -# Get the group name -$groups= ; -chomp $groups; - -# Print them to the error_log file -print STDERR "$prog: user='$user' groups='$groups'\n"; - -# Dump the environment to the error_log file -foreach $env (keys(%ENV)) -{ - print STDERR "$prog: $env=$ENV{$env}\n"; -} - -# Loop through groups -foreach $group (split ' ', $groups) -{ - # Accept the login if the user name matchs the group name - if ($user eq $group) - { - print STDERR "$prog: login name matches group name - Accepted\n"; - exit 0; - } -} - -print STDERR "$prog: login name doesn't match any group name - Rejected\n"; -exit 1; diff --git a/mod_authz_unixgroup/mod_authz_unixgroup.c b/mod_authz_unixgroup.c similarity index 100% rename from mod_authz_unixgroup/mod_authz_unixgroup.c rename to mod_authz_unixgroup.c