Priority: Normal
Current State: No Action Required
Released In: n/a
Target Release: n/a
After Filippo's message to the discuss list, I realised why I was sometimes sharing the same problem, which looks like a bug in the
ApacheConfigGenerator page.
1. How to reproduce:
Try this simple configuration settings, with only a required user "adminuser" for protecting the
configure
script (no IP address), and clicking "OR", instead of "AND" in the section "Protect the bin/configure command":
http://foswiki.org/Support/ApacheConfigGenerator?foswikiversion=1.1&vhost=&port=&dir=%2Fvar%2Fwww%2Ffoswiki&pathurl=%2Ffoswiki&shorterurls=enabled&engine=CGI&fastcgimodule=fastcgi&apver=2&allowconf=&reqandor=or&requireconf=adminuser&loginmanager=Template&htpath=&errordocument=UserRegistration&errorcustom=&phpinstalled=PHP4#HighLight
The
FilesMatch block looks like that:
<FilesMatch "^(configure)$">
SetHandler cgi-script
Require user adminuser
Satisfy Any
ErrorDocument 401 default
</FilesMatch>
With these settings and Apache 2, the
configure
script is accessible by anybody.
I experimented commenting out "Satisfy Any", and noticed that it is enough, in my case, to enforce the required user authentication. There is no "Any" other condition to satisfy as defined in the block. The parent block though has:
Order Allow,Deny
Allow from all
Deny from env=blockAccess
so I guess that's why the authentication is not performed, since "Allow from all" is there, and "Satisfy Any" is permitted.
2. Problems in ApacheConfigGenerator
The source code of the generator contains this:
<FilesMatch "^(configure)$">
SetHandler cgi-script%IF{ "$ALLOWCONF != ''" then="
Order Deny,Allow
Deny from all
Allow from %URLPARAM{allowconf}%"}%
%IF{ "$REQUIRECONF != ''" then="Require user %URLPARAM{requireconf}%"}%
Satisfy %IF{ "$REQANDOR='and'" then="All" else="Any" }%
ErrorDocument 401 default
</FilesMatch>
A "Satisfy All" would also restrict the access. The "Satisfy All" is there if you leave the selection to "AND" there
ApacheConfigGenerator#Protect_the_bin_configure_comman instead of using "OR".
When users click "OR" (instead of "AND", which is normally selected by default) when they generate the Apache configuration with only one requirement (user) for protecting the
configure
script, they get "Satisfy Any", instead of "Satisfy All".
In either cases, it does not make much sense to specify "AND" or "OR", if you only have one condition (either user, or IP address). So that's a strange way to write the Apache directives, IMHO.
3. Suggested corrections
The code should probably be corrected:
- to include "Order Deny,Allow" and "Deny from all" all the time, unless $ALLOWCONF and $REQUIRECONF are both empty (in which case, the FilesMatch block is useless anyway),
- and the "Satisfy" line used only if $ALLOWCONF and $REQUIRECONF are both non empty.
Also, in earlier versions of the generator, the generator was providing, in the generated comments, a link to
http://foswiki.org/Support/ProtectingYourConfiguration which contains useful information, and which is not there anymore.
I suggest to put it back there.
Finally, in the HTML interface the "OR" "AND" radio buttons make sense only if there are values in both the fields.
--
RaulFRodriguez - 24 Jan 2011
Setting to No Action. Foswiki 2.0 doesn't need to protect configure. It's handled by core. Also, ACG is a wiki topic. no need for tasks. Just edit directly.
--
GeorgeClark - 12 Jul 2015