Re: DUNNO state and implicit ACLs from Alex Rousskov on 2012-05-22 (squid-dev)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 22 May 2012 11:19:24 -0600

On 05/20/2012 03:24 AM, Amos Jeffries wrote:

> I'm not sure why IDENT is setting currentAnswer() instead of just
> failing the match. That would seem to be a bug. I think it should be
> setting the match to fail, not the line to deny.

"Failing the match" (i.e., returning a regular "there was no match"
answer) is equivalent to deleting the rule from squid.conf for that
fastCheck() execution. The next rule will be tried. Ignoring that
"failing" rule is not necessarily what the admin meant, IMHO:

http_access deny badGuys
http_access allow all

If badGuys is an IDENT ACL and your "just fail the match" logic is
implemented, then the above will allow everybody when IDENT is broken.
Would not that be the wrong outcome from many admins point of view? I
think the bug is in fastCheck(). It should return DUNNO if a rule cannot
determine whether there is a match (for any reason). It should not just
ignore that rule as if there was a mismatch (your proposal) and it
should not return the rule's keyword (current code).

I do not know whether my interpretation matches what Squid documentation
promises (and/or most admins expect) in cases where ACLs fail (i.e.,
they can declare neither a match or mismatch). I could not find this
topic covered in squid.conf.documented. That is one of the reasons I
hesitate fixing this. I do not want to create new semantics if there is
already a consistent rule interpretation semantics.

Note that this is a secondary bug discussed in this thread. The tread
primary focus is fastCheck() incorrect handling of a case where no rules
finished(). That primary bug is even worse because it is not specific to
authentication and failure cases.

In summary, I believe these test cases are broken now:

# broken for some transactions (i.e., when "some" matches)
http_access deny !some

and

# broken if badGuys requires authentication or fails
http_access allow !badGuys

And the following test case will be broken if "just declare a mismatch"
logic is implemented:

# broken if badGuys requires authentication or fails
http_access deny badGuys

Cheers,

Alex.
Received on Tue May 22 2012 - 17:19:48 MDT

This archive was generated by hypermail 2.2.0 : Thu May 31 2012 - 12:00:11 MDT