Report forwarded to debian-bugs-dist@lists.debian.org, Marcin Owsiany <porridge@debian.org>: Bug#323789; Package libapache-mod-auth-shadow.
(full text, mbox, link).
Acknowledgement sent to SICS Server Support <sics-support@syrex.co.za>:
New Bug report received and forwarded. Copy sent to Marcin Owsiany <porridge@debian.org>.
(full text, mbox, link).
From: SICS Server Support <sics-support@syrex.co.za>
To: submit@bugs.debian.org
Subject: [Ticket: 1020752] Bug in mod_auth_shadow (mod-auth-shadow) pack [...]
Date: Thu, 18 Aug 2005 13:55:08 +0200
Package: libapache-mod-auth-shadow
Version: 1.4-1
Maintainer: Marcin Owsiany <porridge at debian.org>
I experience problems with the mod-auth-shadow Apache2 module when used in conjunction
with FrontPage extentions on the same server. The problem appears to be that mod-auth-shadow
automatically turns itself on (although 'AuthShadow on' isn't present) when one uses the
'require group' directive.
Unfortunately no patch at the SourceForge site, just a confirmation of the bug:
[----- from SourceForge Patch Archives -----]
AuthShadow off fallback mod_auth fix To fix the incorrect authorization result use together
with mod_auth. If "AuthShadow off" is specified, it should fall back to "mod_auth" (if
enabled). But before patching it will always fail if specified "require group" in .htaccess.
The following .htaccess can demonstrate the abnormal behaviour:
AuthShadow off
AuthType Basic
AuthName "My Test"
AuthUserFile /home/alan/myuserfile
AuthGroupFile /home/alan/mygroupfile
require group mygroup
[----- from SourceForge Patch Archives -----]
Regards
David Herselman -=*> Syrex Intranets <*=-
=- 27 7th Avenue http://www.syrex.co.za
Parktown North +27-(0)86-11-SYREX Voice
2193 +27-(0)86-12-SYREX Fax
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#323789; Package libapache-mod-auth-shadow.
(full text, mbox, link).
Acknowledgement sent to Marcin Owsiany <porridge@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
tags 323789 + upstream
tags 323789 + help
thanks
On Thu, Aug 18, 2005 at 01:55:08PM +0200, SICS Server Support wrote:
> I experience problems with the mod-auth-shadow Apache2 module when used in conjunction
> with FrontPage extentions on the same server. The problem appears to be that mod-auth-shadow
> automatically turns itself on (although 'AuthShadow on' isn't present) when one uses the
> 'require group' directive.
Thanks for the report. Unfortunately I have never used frontpage
extensions, so I could use some more help.
> Unfortunately no patch at the SourceForge site, just a confirmation of the bug:
>
> [----- from SourceForge Patch Archives -----]
> AuthShadow off fallback mod_auth fix To fix the incorrect authorization result use together
> with mod_auth. If "AuthShadow off" is specified, it should fall back to "mod_auth" (if
> enabled). But before patching it will always fail if specified "require group" in .htaccess.
>
>
> The following .htaccess can demonstrate the abnormal behaviour:
>
> AuthShadow off
> AuthType Basic
> AuthName "My Test"
> AuthUserFile /home/alan/myuserfile
> AuthGroupFile /home/alan/mygroupfile
> require group mygroup
> [----- from SourceForge Patch Archives -----]
I need some clarification. Is adding "AuthShadow off" sufficient to make
it work like it should? Or is that command included just to show that
even explicitly disabling authshadow doesn't help?
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Tags added: upstream
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: help
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: upstream
Request was from SICS Server Support <sics-support@syrex.co.za>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: help
Request was from SICS Server Support <sics-support@syrex.co.za>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#323789; Package libapache-mod-auth-shadow.
(full text, mbox, link).
Acknowledgement sent to Marcin Owsiany <porridge@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
# important, since there seems to be no workaround, and it is not
# frontpage-specific as I thought initially
severity 323789 important
# I can now reproduce this; leaving help though, since I'm no apache
# guru :)
tags 323789 + confirmed
retitle 323789 Turns itself on when require group is used
thanks
Hi!
Sorry for the late reply.
On Wed, Aug 24, 2005 at 09:21:04AM +0200, SICS Server Support wrote:
> tags 323789 + upstream
> tags 323789 + help
No need to keep those lines, they are just single-time commands for
debian BTS control bot :)
Also, when replying, please keep 323789@bugs.debian.org in CC, rather
than control@bugs.debian.org. The latter is for bug metadata
manipulation.
> Were you able to replicate the problem with mod-auth-shadow automatically
> turning itself on when using a 'require group' directive in a 'plain'
> .htaccess file using users and groups?
Yes, now I can reproduce the problem. I'll work with the upstream
maintainer and/or try to debug this myself.
> I hope my last mail didn't unecessarily complicate things, I usually
> understand things better with examples but please let me know if there
> is anything I can do...
It was OK, but I got misled by the frontpage bit that the bug is somehow
frontpage-specific.
regards,
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Severity set to `important'.
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: confirmed
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Marcin Owsiany <marcin@owsiany.pl>:
You have marked Bug as forwarded.
(full text, mbox, link).
Subject: mod_auth_shadow turning itself on with require group
Date: Thu, 8 Sep 2005 19:58:10 +0200
Hi!
I have received a bug report on mod_auth_shadow, which you can see with
all replies at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323789
The problem is that mod_auth_shadow always turns itself on, when
"require group <whatever>" is used in the same scope. This makes it
impossible to use any other authentication modules with "require group"
when mod_auth_shadow is loaded.
"AuthShadow off" seems to have no effect.
I could reproduce that with the following:
-------------------------------------------------
mkdir ~/public_html/test/
cat << END > ~/public_html/test/.htaccess
AuthShadow off
AuthType Basic
AuthName "My Test"
AuthUserFile /tmp/tuser
AuthGroupFile /tmp/tgroup
require group foogroup
END
echo 'oj:' > /tmp/tuser
echo 'foogroup: oj' > /tmp/tgroup
wget -S -O/dev/null --http-user=oj --http-password='' http://localhost/~porridge/test/
-------------------------------------------------
error.log contains:
[Thu Sep 8 19:32:22 2005] [error] [client 127.0.0.1] access to /~porridge/test/ failed. Reason: user oj not allowed access
Modifying apache configuration not to load auth_shadow (and removing the
"AuthShadow off" line) makes the above work as expected.
Please keep 323789-forwarded@bugs.debian.org in Cc when replying to this
message.
regards,
Marcin
--
Marcin Owsiany <marcin@owsiany.pl> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
"Every program in development at MIT expands until it can read mail."
-- Unknown
Message sent on to SICS Server Support <sics-support@syrex.co.za>:
Bug#323789.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#323789; Package libapache-mod-auth-shadow.
(full text, mbox, link).
Acknowledgement sent to Marcin Owsiany <porridge@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
On Thu, Sep 08, 2005 at 07:43:04PM +0200, Marcin Owsiany wrote:
> Yes, now I can reproduce the problem. I'll work with the upstream
> maintainer and/or try to debug this myself.
I have prepared packages which seem to fix this issue for me.
They available at
http://people.debian.org/~porridge/mod-auth-shadow-test/
which is also aptable as:
deb http://people.debian.org/~porridge/mod-auth-shadow-test/ ./
Please test whether they fix the issue for you and report back.
regards,
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Subject: Re: mod_auth_shadow turning itself on with require group
Date: Thu, 22 Sep 2005 10:40:05 +0200
Hi!
On Thu, Sep 08, 2005 at 07:58:10PM +0200, Marcin Owsiany wrote:
> The problem is that mod_auth_shadow always turns itself on, when
> "require group <whatever>" is used in the same scope. This makes it
> impossible to use any other authentication modules with "require group"
> when mod_auth_shadow is loaded.
The following patch seems to fix this issue for me. Do you think it's
OK?
--- mod-auth-shadow-1.4.orig/mod_auth_shadow.c 2004-01-08 00:00:00.000000000 +0100
+++ mod-auth-shadow-1.4/mod_auth_shadow.c 2005-09-22 09:51:31.963028072 +0200
@@ -311,6 +307,11 @@
int method_restricted = 0;
const char *line; /* The requires line. */
const char *w; /* A word from the requires line. */
+ auth_shadow_config_rec *s = (auth_shadow_config_rec *)
+ ap_get_module_config(r->per_dir_config, &authshadow_module);
+
+ if (s->auth_shadow_flag != 1)
+ return DECLINED;
if (!req_arr) {
/* No requires lines. Any user will do. */
regards,
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Message sent on to SICS Server Support <sics-support@syrex.co.za>:
Bug#323789.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org: Bug#323789; Package libapache-mod-auth-shadow.
(full text, mbox, link).
Acknowledgement sent to Marcin Owsiany <porridge@debian.org>:
Extra info received and forwarded to list.
(full text, mbox, link).
tag 323789 +security
thanks
Hi!
mod_auth_shadow is an apache module which lets you perform HTTP
authentication against /etc/shadow. Whether it should act for certain
location or directory, is controled with AuthShadow on/off directive.
However, it seems that one of the handlers mistakenly does not check the
status of this directive, which means that mod_auth_shadow always runs
for locations which have "require group <somegroup>" specified.
This was reported upstream by someone over a year ago
http://sourceforge.net/tracker/index.php?func=detail&aid=1008478&group_id=11283&atid=311283
Since authorization is involved, this bug is security-related. If the
user were lucky, and /etc/{group,shadow} gave access to some group, but
other authentication mechanism didn't, then this would mean granting
them access unintentionally.
I have prepared packages which seem to work for me and asked the bug
submitter to test them. I also posted the patch to the SF patch forum,
and forwarded it upstream, which might get some more testing.
The preliminary sid packages are at
deb http://people.debian.org/~porridge/mod-auth-shadow-test/ ./
Either way, this patch inevitably changes the package behavior, since
now an explicit "AuthShadow on" is needed also with "require group
<...>". I wonder whether I should add a NEWS.Debian note...
I think that an advisory should be prepared. In such case, the behavior
change should be warned about in the advisory as well.
please let me know what you think,
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
From: SICS Server Support <sics-support@syrex.co.za>
To: Marcin Owsiany <porridge@debian.org>, 323789-quiet@bugs.debian.org
Subject: Re: [Ticket: 1020752] Bug#323789: Bug in mod_auth_shadow
(mod-auth-sha [...]
Date: Fri, 23 Sep 2005 01:05:50 +0200
Dear Marcin,
Marcin Owsiany <porridge@debian.org> wrote:
> > Yes, now I can reproduce the problem. I'll work with the upstream
> > maintainer and/or try to debug this myself.
>
> I have prepared packages which seem to fix this issue for me.
>
> Please test whether they fix the issue for you and report back.
Superb, the module now works flawlessly!
I use mod_auth_shadow-2.0-1 though so I had to make a tiny adjustment to your
patch to get it to compile/work though:
auth_shadow_config_rec *s = (auth_shadow_config_rec *)
- ap_get_module_config(r->per_dir_config, &authshadow_module);
+ ap_get_module_config(r->per_dir_config, &auth_shadow_module);
if (s->auth_shadow_flag != 1)
return DECLINED;
Regards
David Herselman -=*> Syrex Intranets <*=-
=- 27 7th Avenue http://www.syrex.co.za
Parktown North +27-(0)86-11-SYREX Voice
2193 +27-(0)86-12-SYREX Fax
Tags removed: help
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: pending
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1.3-3.1woody.1.
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 1.4-1.
Request was from Marcin Owsiany <porridge@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Marcin Owsiany <porridge@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to SICS Server Support <sics-support@syrex.co.za>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#323789: fixed in mod-auth-shadow 1.4-2
Date: Mon, 26 Sep 2005 02:02:05 -0700
Source: mod-auth-shadow
Source-Version: 1.4-2
We believe that the bug you reported is fixed in the latest version of
mod-auth-shadow, which is due to be installed in the Debian FTP archive:
libapache-mod-auth-shadow_1.4-2_i386.deb
to pool/main/m/mod-auth-shadow/libapache-mod-auth-shadow_1.4-2_i386.deb
mod-auth-shadow_1.4-2.diff.gz
to pool/main/m/mod-auth-shadow/mod-auth-shadow_1.4-2.diff.gz
mod-auth-shadow_1.4-2.dsc
to pool/main/m/mod-auth-shadow/mod-auth-shadow_1.4-2.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 323789@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marcin Owsiany <porridge@debian.org> (supplier of updated mod-auth-shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 26 Sep 2005 10:47:09 +0200
Source: mod-auth-shadow
Binary: libapache-mod-auth-shadow
Architecture: source i386
Version: 1.4-2
Distribution: unstable
Urgency: high
Maintainer: Marcin Owsiany <porridge@debian.org>
Changed-By: Marcin Owsiany <porridge@debian.org>
Description:
libapache-mod-auth-shadow - An Apache module for authentication using /etc/shadow
Closes: 323789328987
Changes:
mod-auth-shadow (1.4-2) unstable; urgency=high
.
* Added checking of auth_shadow_flag in authshadow_valid_user() this fixes
the problem where auth_shadow always turned itself on when require group
was specified. closes: Bug#323789 (CAN-2005-2963) This is security
related, so urgency=high
* Rebuild to get rid of libdb4.1 dependancy. closes: Bug#328987
* Upgraded Standards-Version to 3.6.2 (no changes needed)
Files:
5467f2a5707fb0646bc50b11bb056649 606 web extra mod-auth-shadow_1.4-2.dsc
e062395f160e54ba06deb831d3cc9d39 5925 web extra mod-auth-shadow_1.4-2.diff.gz
ea0a1ba32990bad0289549b3f4cc8b30 12246 web extra libapache-mod-auth-shadow_1.4-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDN7bGOg2KoGD0EhYRAluyAJ4uo0LZC5OaoHBf55z24NDR6oHRZACeJ2rM
qocB5EMzsd+mwQjYm4yYP7Q=
=uzFc
-----END PGP SIGNATURE-----
Subject: Re: mod_auth_shadow turning itself on with require group
Date: Mon, 26 Sep 2005 12:57:10 +0200
On Thursday, September 22, Marcin Owsiany wrote:
> Hi!
>
> On Thu, Sep 08, 2005 at 07:58:10PM +0200, Marcin Owsiany wrote:
> > The problem is that mod_auth_shadow always turns itself on, when
> > "require group <whatever>" is used in the same scope.
I see -- yes, it 'turns itself on' in the sense that it validates the
user/group. But it declines to validate the password. (The end result
being that for users to be valid they have to pass the user/groups
tests in mod_auth_shadow even if AuthShadow is off.)
> > This makes it
> > impossible to use any other authentication modules with "require group"
> > when mod_auth_shadow is loaded.
>
> The following patch seems to fix this issue for me. Do you think it's
> OK?
>
Yes, it looks good. Thanks a lot. I've applied it, and released
a new version (1.5).
-Brian
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 27 Jun 2007 00:49:30 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.