Bug 43084 - Group line in AuthGroupFile cannot contain more than 8192 characters (including EOL)
Summary: Group line in AuthGroupFile cannot contain more than 8192 characters (includi...
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Other Modules (show other bugs)
Version: 2.2.4
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk
Depends on:
Reported: 2007-08-10 05:04 UTC by Björn Wiberg
Modified: 2012-02-26 16:46 UTC (History)
0 users

Example AuthGroupFile (16.00 KB, text/plain)
2007-08-10 05:07 UTC, Björn Wiberg
Example .htaccess file (165 bytes, text/plain)
2007-08-10 05:08 UTC, Björn Wiberg

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Wiberg 2007-08-10 05:04:02 UTC
Group lines in (mod_authz_groupfile) AuthGroupfiles appear to have a maximum
fixed size of 8192 characters including the group name, colon, whitespace and
end-of-line character(s).

Usernames on such a long group line, appearing past the 8192-byte limit, will
not be let in:

[Fri Aug 10 13:09:33 2007] [error] [client] Authorization of
user XYZ to access /Pass/index.html failed, reason: user doesn't appear in group
file (/apache/secret/abc/def/.htgroup)., referer: http://www.xyz.uu.se/

...even though they are present on the line and hence should be considered a
member of the group.

Attaching example files to test this. The username "test" will not be considered
a member of the group "brokengroup", but will be considered a member of the
group "okgroup".

(Tested on both Linux and AIX.)
Comment 1 Björn Wiberg 2007-08-10 05:07:00 UTC
Created attachment 20636 [details]
Example AuthGroupFile

The user "test" will be considered a user of the group "okgroup", but not of
the group "brokengroup", due to line lengths.
Comment 2 Björn Wiberg 2007-08-10 05:08:55 UTC
Created attachment 20637 [details]
Example .htaccess file

Adjust the path to the user and group files.
Try adding "okgroup" to the list of allowed groups (and not).
Notice the difference (let in vs not let in).
Comment 3 Tom Donovan 2007-08-19 19:54:40 UTC
True - the line length is limited by the value in include/httpd.h near line 310

  /** The length of a Huge string */
  #define HUGE_STRING_LEN 8192

This line-length limit applies to user files, group files, config files, log
lines, mod_ssl passphrases, and many other things in Apache.  Changing it for
all of them seems disruptive.  A site with a unique requirement could change the
value in httpd.h and re-build Apache.

Should this really be fixed?
Very large group lists may be better handled by DBM or DBD than extra long lines
in a flat file. 
Comment 4 Stefan Fritsch 2011-08-13 09:07:39 UTC
Fixed in trunk in r1157354
Comment 5 Stefan Fritsch 2012-02-26 16:46:18 UTC
fixed in 2.4.1