Jan Matejek changed bug 881506
What Removed Added
CC   jmatejek@suse.com

Comment # 18 on bug 881506 from 
the trouble is that it's not "old syntax" vs "new syntax", but "old module"
(access_compat) vs "new module" (authz_core), and we have both enabled
so every request goes through TWO access control layers, and must pass BOTH in
order to work.
/i don't know if this is true on implementation level, but it is consistent
with observed behavior/

in other words, you can use *either* of the two syntax variants to *disable*
access, but you have to use *both* to reliably *enable* access.

it is possible to write configs that work when both modules are enabled, simply
say this and it will work:
---
Order allow,deny
Allow from all
Require all granted
---


you could also wrap each in a conditional for its module, to handle cases where
one of the access control mechanisms is disabled
---
<IfModule mod_access_compat.c>
  Order allow,deny
  Allow from all
</IfModule>
<IfModule mod_authz_core.c>
  Require all granted
</IfModule>
---
(note that we use the "authz_core is enabled" condition, as opposed to
"access_compat is disabled" which is now broken in gitweb. that's a gitweb bug)


This suggests a way forward; after discussing the issue with Petr, I propose
the following
1. make mod_access_compat unloadable, and unloaded-by-default
2. optional but seems reasonable, make mod_authz_core static
3. let default configuration files use the authz_core (Require *) syntax. we
have this now, no change is required
3. update all packages that drop configs to use the conditionals shown above
4. create mod_access_compat.conf that is included when mod_access_compat is
enabled, that "punches holes" in default authz_core configuration

With authz_core-based config, and access_compat enabled, some things already
work "both ways": if you want to hide a directory that's accessible by default,
you can use either syntax, as long as you're consistent in rules under that
particular directory.

The missing step is enabling access to anything outside /srv/www/htdocs, i.e.,
all the things that are inaccessible by default.

There are around 20 Require directives in the default config, most of which are
"Require all granted". in order to avoid having conditionals in each of those
20 places, we can move the respective "Order allow,deny; Allow from all"
directives into the mod_access_compat.conf file, thus enabling everything for
access_compat that's already allowed for authz_core.
The last step is to put "Order deny, allow; Deny from all" for the root
directory. But this is the part that breaks things: if we do this, we have to
enable both authz_core and access_compat everywhere. So instead, we declare
that mod_access_compat **switches to legacy mode**, and specify "Require all
granted" for root (and the other three places where authz_core restricts
access), giving access control over to access_compat completely. When
configured this way, "Order allow,deny; Allow from all" is sufficient to allow
access, and legacy configuration files work again.

(damn, i should've made this a blog post instead of bugzilla comment)

You are receiving this mail because: