Bug 55523 - auth_groupfile error log on access even though successful
Summary: auth_groupfile error log on access even though successful
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authz_groupfile (show other bugs)
Version: 2.4.6
Hardware: PC All
: P2 trivial (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2013-09-04 16:04 UTC by Brian Gleason
Modified: 2017-05-25 12:29 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Gleason 2013-09-04 16:04:06 UTC
When I have Nested Require values in an htaccess, it present what I would consider unconventional logging in the error log.

.htgroups file
administrators: admin
users: user1 user2 user3

For ex.
<RequireAll>
  <RequireAny>
    Require group users
    Require group administrators
  </RequireAny>
  <RequireAny>
    Require host Machine1.domain.net
    Require host Machine2.domain.net
    Require host Machine3.domain.net
    Require host Machine4.domain.net
    Require host Machine5.domain.net
    Require host Machine6.domain.net
  </RequireAny>
</RequireAll>

if I attempt to log into the virtualhost site from a valid system based on the "require host" even though I am able to access the site, it presents this in the error log.

[Wed Sep 04 10:39:33.159477 2013] [authz_groupfile:error] [pid 1740:tid 928] [client 172.20.103.47:60413] AH01667: Authorization of user admin to access / failed, reason: user is not part of the 'require'ed group(s).
[Wed Sep 04 10:39:33.315732 2013] [authz_groupfile:error] [pid 1740:tid 928] [client 172.20.103.47:60413] AH01667: Authorization of user admin to access /index.php/Main_Page failed, reason: user is not part of the 'require'ed group(s).
[Wed Sep 04 10:39:33.315732 2013] [authz_groupfile:error] [pid 1740:tid 928] [client 172.20.103.47:60413] AH01667: Authorization of user admin to access /Main_Page failed, reason: user is not part of the 'require'ed group(s).
[Wed Sep 04 10:39:33.596991 2013] [authz_groupfile:error] [pid 1740:tid 928] [client 172.20.103.47:60413] AH01667: Authorization of user admin to access /load.php failed, reason: user is not part of the 'require'ed group(s)., referer: http://Wikisite/index.php/Main_Page
[Wed Sep 04 10:39:33.753246 2013] [authz_groupfile:error] [pid 1740:tid 932] [client 172.20.103.47:60414] AH01667: Authorization of user admin to access /load.php failed, reason: user is not part of the 'require'ed group(s)., referer: http://Wikisite/index.php/Main_Page
[Wed Sep 04 10:39:34.393892 2013] [authz_groupfile:error] [pid 1740:tid 932] [client 172.20.103.47:60414] AH01667: Authorization of user admin to access /favicon.ico failed, reason: user is not part of the 'require'ed group(s).

Some would say, yeah duh, he is not a member of the "users" group so it is erroring based on that, but he is a member of the administrators group making it successful, but what I am considering the error/bug is that it is showing that as an error even though the authentication end result was SUCCESS.

Not sure if that would need to be flipped to debugging functionality where authz_user, authz_host, authz_groupfile, etc. only log errors when the end result is a failure and if the end result is success, log individual require failures only when error logging is in debug mode...

Hope my quandary makes since.

Thanks...
Comment 2 Brian Gleason 2013-09-04 16:33:50 UTC
After reviewing that linked bug, it sounds spot on. Since my server is running on win32 I can't readily make a change and recompile, but the description/explanation matches..

Thanks...
Comment 3 Eric Covener 2013-09-04 17:59:03 UTC
Thanks, I have proposed it for backport into the next stable 2.4.x
Comment 4 Schultz IT Solutions 2015-01-23 10:47:23 UTC
Hello,
We are running Apache 2.4.10 on a windows environment. 
And we are still getting (lots of) these messages in APACHE error log (although the user actually CAN AND DOES access all the named files). So to me it looks like this bug is not solved in APACHE 2.4.10-windows

Is there any chance of getting this fixed (as this really fills up our error logs)?

Regards
Ruediger Schultz
Schultz IT Solutions
Comment 5 Eric Covener 2015-01-23 12:18:07 UTC
It looks to me like I missed the problematic error message and fixed two others. Will be post-2.4.12.
Comment 6 Christophe JAILLET 2017-05-25 12:29:30 UTC
Additional fixe from Eric is in r1654184 in trunk and r1661749 in 2.4.x.

This is part of 2.4.13.