Item10280: ApacheConfigGenerator does not enforce the Require user protection for the bin/configure command

After Filippo's message to the discuss list, I realised why I was sometimes sharing the same problem, which looks like a bug in the ApacheConfigGenerator page.

1. How to reproduce:

Try this simple configuration settings, with only a required user "adminuser" for protecting the configure script (no IP address), and clicking "OR", instead of "AND" in the section "Protect the bin/configure command": http://foswiki.org/Support/ApacheConfigGenerator?foswikiversion=1.1&vhost=&port=&dir=%2Fvar%2Fwww%2Ffoswiki&pathurl=%2Ffoswiki&shorterurls=enabled&engine=CGI&fastcgimodule=fastcgi&apver=2&allowconf=&reqandor=or&requireconf=adminuser&loginmanager=Template&htpath=&errordocument=UserRegistration&errorcustom=&phpinstalled=PHP4#HighLight

The FilesMatch block looks like that:

    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Require user adminuser
        Satisfy Any
        ErrorDocument 401 default
    </FilesMatch>

With these settings and Apache 2, the configure script is accessible by anybody.

I experimented commenting out "Satisfy Any", and noticed that it is enough, in my case, to enforce the required user authentication. There is no "Any" other condition to satisfy as defined in the block. The parent block though has:

    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

so I guess that's why the authentication is not performed, since "Allow from all" is there, and "Satisfy Any" is permitted.

2. Problems in ApacheConfigGenerator

The source code of the generator contains this:

    <FilesMatch "^(configure)$">
        SetHandler cgi-script%IF{ "$ALLOWCONF != ''" then="
        Order Deny,Allow
        Deny from all 
        Allow from %URLPARAM{allowconf}%"}%
        %IF{ "$REQUIRECONF != ''" then="Require user %URLPARAM{requireconf}%"}%
        Satisfy %IF{ "$REQANDOR='and'" then="All" else="Any" }%
        ErrorDocument 401 default
    </FilesMatch>

A "Satisfy All" would also restrict the access. The "Satisfy All" is there if you leave the selection to "AND" there ApacheConfigGenerator#Protect_the_bin_configure_comman instead of using "OR".

When users click "OR" (instead of "AND", which is normally selected by default) when they generate the Apache configuration with only one requirement (user) for protecting the configure script, they get "Satisfy Any", instead of "Satisfy All".

In either cases, it does not make much sense to specify "AND" or "OR", if you only have one condition (either user, or IP address). So that's a strange way to write the Apache directives, IMHO.

3. Suggested corrections

The code should probably be corrected:

• to include "Order Deny,Allow" and "Deny from all" all the time, unless $ALLOWCONF and $REQUIRECONF are both empty (in which case, the FilesMatch block is useless anyway),

• and the "Satisfy" line used only if $ALLOWCONF and $REQUIRECONF are both non empty.

Also, in earlier versions of the generator, the generator was providing, in the generated comments, a link to http://foswiki.org/Support/ProtectingYourConfiguration which contains useful information, and which is not there anymore. I suggest to put it back there.

Finally, in the HTML interface the "OR" "AND" radio buttons make sense only if there are values in both the fields.

-- RaulFRodriguez - 24 Jan 2011

Setting to No Action. Foswiki 2.0 doesn't need to protect configure. It's handled by core. Also, ACG is a wiki topic. no need for tasks. Just edit directly.

-- GeorgeClark - 12 Jul 2015

Commenting is disabled while not logged in