Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Docs
Order Mutual-failure
slive at finance
Sep 25, 2000, 6:46 PM
Post #1 of 10 (556 views)
Permalink
I've never been able to figure this out either. What the heck is
"Order Mutual-failure" supposed to do?


From: lbayuk@mindspring.com (ljb)
Newsgroups: comp.infosystems.www.servers.unix
Subject: Apache "Order Allow,Deny" vs "Order Mutual-failure"?
Date: 26 Sep 2000 01:15:32 GMT
Organization: MindSpring Enterprises
Lines: 26
Message-ID: <8qotbk$7i2$1@slb2.atl.mindspring.net>
NNTP-Posting-Host: 04.36.29.10
X-no-archive: yes
User-Agent: slrn/0.9.5.4 (UNIX)


After reading the Apache documentation (and the O'Reilly book, and another
book on security) I was still really confused about the 3 choices for
"Order" in Allow /Deny access rules. So I looked at the source, and now it
seems to me the documentation is wrong, and "Order Allow,Deny" is exactly
the same as "Order Mutual-failure". Look at this summary of the code in
mod_access.c (Apache 1.3.12) check_dir_access(), and tell me if I'm wrong.

if (a->order[method] == ALLOW_THEN_DENY) {
ret = FORBIDDEN;
if (find_allowdeny(r, a->allows, method)) ret = OK;
if (find_allowdeny(r, a->denys, method)) ret = FORBIDDEN;
}
...
else /* (a->order[method] == MUTUAL_FAILURE) */ {
if (find_allowdeny(r, a->allows, method)
&& !find_allowdeny(r, a->denys, method))
ret = OK;
else
ret = FORBIDDEN;
}

To me, both cases above (ALLOW_THEN_DENY and MUTUAL_FAILURE) result
in the exact same value of "ret" for any set of returns from
find_allowdeny(). Am I wrong? Can someone show me a case where
"Order Allow,Deny" differs from "Order Mutual-failure"?
Re: Order Mutual-failure [ In reply to ]
dot at dotat
Sep 27, 2000, 2:54 PM
Post #2 of 10 (550 views)
Permalink
Joshua Slive <slive@finance.commerce.ubc.ca> wrote:
>
>I've never been able to figure this out either. What the heck is
>"Order Mutual-failure" supposed to do?

Dunno. It's really old code, though, so the CVS archive isn't much help.

Tony.
--
en oeccget g mtcaa f.a.n.finch
v spdlkishrhtewe y dot@dotat.at
eatp o v eiti i d. fanf@covalent.net
Re: Order Mutual-failure [ In reply to ]
slive at finance
Sep 27, 2000, 3:02 PM
Post #3 of 10 (549 views)
Permalink
On Wed, 27 Sep 2000, Tony Finch wrote:

> Joshua Slive <slive@finance.commerce.ubc.ca> wrote:
> >
> >I've never been able to figure this out either. What the heck is
> >"Order Mutual-failure" supposed to do?
>
> Dunno. It's really old code, though, so the CVS archive isn't much help.
>

Well, I'm tempted to nuke it from the documentation, at least.
It confuses me, and obviously other people too.

--
Joshua Slive
slive@finance.commerce.ubc.ca
http://finance.commerce.ubc.ca/~slive/
Phone: (604) 822-1871
Re: Order Mutual-failure [ In reply to ]
dot at dotat
Sep 28, 2000, 12:54 AM
Post #4 of 10 (550 views)
Permalink
Joshua Slive <slive@finance.commerce.ubc.ca> wrote:
>
>Well, I'm tempted to nuke it from the documentation, at least.
>It confuses me, and obviously other people too.

I agree, mutual-failure is bogus.

Tony.
--
en oeccget g mtcaa f.a.n.finch
v spdlkishrhtewe y dot@dotat.at
eatp o v eiti i d. fanf@covalent.net
Re: Order Mutual-failure [ In reply to ]
rbowen at rcbowen
Sep 28, 2000, 4:16 AM
Post #5 of 10 (550 views)
Permalink
Joshua Slive wrote:
>
> I've never been able to figure this out either. What the heck is
> "Order Mutual-failure" supposed to do?

As far as I've been able to tell, mutual-failure means that a host, in
order to be allowed, must BOTH appear on the allow list, and not appear
on the deny list. Which seems pretty stupid, now that I've written it
out, because that's pretty much what you'd get if you did an Order
Allow,Deny

Seems to me there was a good use I had for this at one point. I'll have
to go back through my notes.

Hmm.

Rich
Re: Order Mutual-failure [ In reply to ]
slive at finance
Sep 28, 2000, 8:33 AM
Post #6 of 10 (552 views)
Permalink
On Thu, 28 Sep 2000, Rich Bowen wrote:

> Joshua Slive wrote:
> >
> > I've never been able to figure this out either. What the heck is
> > "Order Mutual-failure" supposed to do?
>
> Seems to me there was a good use I had for this at one point. I'll have
> to go back through my notes.
>

Well, if you figure out anyting, please let me know. Otherwise, my hand
is itching towards the delete key as we speak.

Joshua.
Re: Order Mutual-failure [ In reply to ]
Ken.Coar at Golux
Sep 28, 2000, 10:05 AM
Post #7 of 10 (549 views)
Permalink
Joshua Slive wrote:
>
> Well, if you figure out anyting, please let me know. Otherwise,
> my hand is itching towards the delete key as we speak.

Um, no deleting of documentation for existing features.

Mark it as deprecated or confusing, but don't delete it.

Actually, I had the impression that wildcards were treated
differently for Mutual-Failure, but I can't support it now.
--
#ken P-)}

Ken Coar <http://Golux.Com/coar/>
Apache Software Foundation <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>
"Apache Server Unleashed" <http://ApacheUnleashed.Com/>
Re: Order Mutual-failure [ In reply to ]
rsbrand at gate
Sep 28, 2000, 1:01 PM
Post #8 of 10 (550 views)
Permalink
Please do not not delete documentation for existing directives. Instead,
annotate the existing documentation with a note that the documentor does
not understand what and/or how the directives work. Hopefully, someone
will read the note and correct the situation with better documentation
(and maybe code).

Hidden features are a bad idea.


Raymond S Brand


Joshua Slive wrote:
>
> On Thu, 28 Sep 2000, Rich Bowen wrote:
>
> > Joshua Slive wrote:
> > >
> > > I've never been able to figure this out either. What the heck is
> > > "Order Mutual-failure" supposed to do?
> >
> > Seems to me there was a good use I had for this at one point. I'll have
> > to go back through my notes.
> >
>
> Well, if you figure out anyting, please let me know. Otherwise, my hand
> is itching towards the delete key as we speak.
>
> Joshua.
Re: Order Mutual-failure [ In reply to ]
slive at finance
Sep 28, 2000, 1:15 PM
Post #9 of 10 (550 views)
Permalink
On Thu, 28 Sep 2000, Raymond S Brand wrote:

> Please do not not delete documentation for existing directives. Instead,
> annotate the existing documentation with a note that the documentor does
> not understand what and/or how the directives work. Hopefully, someone
> will read the note and correct the situation with better documentation
> (and maybe code).
>
> Hidden features are a bad idea.

Okay. I see your (and Ken's) point. I promise not to go
delete all the documentation I don't understand. (That might lead to a
considerably smaller set of docs!)

Joshua.
Re: Order Mutual-failure [ In reply to ]
kdart at lineone
Sep 28, 2000, 2:06 PM
Post #10 of 10 (551 views)
Permalink
unsubscribe
----- Original Message -----
From: "Joshua Slive" <slive@finance.commerce.ubc.ca>
To: <apache-docs@apache.org>
Sent: Thursday, September 28, 2000 9:15 PM
Subject: Re: Order Mutual-failure


> On Thu, 28 Sep 2000, Raymond S Brand wrote:
>
> > Please do not not delete documentation for existing directives. Instead,
> > annotate the existing documentation with a note that the documentor does
> > not understand what and/or how the directives work. Hopefully, someone
> > will read the note and correct the situation with better documentation
> > (and maybe code).
> >
> > Hidden features are a bad idea.
>
> Okay. I see your (and Ken's) point. I promise not to go
> delete all the documentation I don't understand. (That might lead to a
> considerably smaller set of docs!)
>
> Joshua.
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal