[Bug 150649] [NEW] gutsy does not have a working apache+mysql authentication solution

Launchpad Bug Tracker 150649 at bugs.launchpad.net
Wed Dec 3 14:42:03 GMT 2008


You have been subscribed to a public bug by Julien Rottenberg (jrottenberg):

Binary package hint: libapache2-mod-auth-mysql

As of Mon Oct  8 17:08:24 EEST 2007, there is no working solution to
authenticate with mysql from apache. This is a serious problem that
might hinder migration to gutsy in many sites.

I have to file this bug against two packages as there are two possible solutions for mysql authentication, *neither of which work*:
1 [RECOMMENDED by Apache Foundation] mod_authn_dbd
(http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html) -- libapr1 doesn't contain a mysql driver, being entirely unusable (see detailed report at bug #150651)
2 [DEPRECATED] libapache2-mod-auth-mysql 
doesn't honour the AuthBasicAuthoritative Off directive and doesn't work. Details follow

Versions:
-------------
Updated Gutsy beta release.

apache2-mpm-prefork 2.2.4-3build1
libapache2-mod-auth-mysql    4.3.9-4

Setup:
-------------

a2enmod auth_mysql

virtual host conf:
        <Location /mysqlauth>
                AuthName "mysql-auth test"
                AuthType Basic

                AuthBasicAuthoritative      Off

                AuthMySQL                   On
                AuthMySQL_Authoritative     On
                AuthMySQL_DB                apache_auth_test
                AuthMySQL_User              authtestuser
                AuthMySQL_Password          authtestpassword

                AuthMySQL_Password_Table    auth
                AuthMySQL_Username_Field    username
                AuthMySQL_Password_Field    passwd
                Auth_MySQL_Encryption_Types MySQL

                # AuthUserFile                /dev/null or /var/www/empty -- enabling this results in stack smashing
                Require valid-user
        </Location>

db setup:
DROP database IF EXISTS apache_auth_test;

create database apache_auth_test;

use apache_auth_test;

create table auth ( username char(25) not null,
        passwd char(25), primary key (username) );

insert into auth values ('somebody', PASSWORD('random'));

grant all privileges on apache_auth_test.* to authtestuser at localhost
identified by 'authtestpassword';

Result:
-------------
1. Without AuthUserFile directive:
[Mon Oct 08 20:58:18 2007] [error] Internal error: pcfg_openfile() called with NULL filename
[Mon Oct 08 20:58:18 2007] [error] [client 213.35.160.166] (9)Bad file descriptor: Could not open password file: (null)
*** stack smashing detected ***: /usr/sbin/apache2 terminated
[Mon Oct 08 20:58:18 2007] [notice] child pid 4834 exit signal Aborted (6)

2. With either
AuthUserFile directive that points to a empty file (e.g. /dev/null)
or
AuthUserFile directive that points to a htpasswd file that does not contain the user name (e.g. trying with foo, but htapsswd file contains only bar):
*** stack smashing detected ***: /usr/sbin/apache2 terminated
[Mon Oct 08 16:57:05 2007] [notice] child pid 4250 exit signal Aborted (6)

3. With AuthUserFile directive that points to a htpasswd file that contains the user name (e.g. trying with foo and htpasswd file contains foo):
authentication succeeds, but database authentication is ignored

Conclusion:
-------------

1. AuthBasicAuthoritative  Off is not honoured,
2. 'stack smashing detected' looks like a serious bug in libapache2-mod-auth-mysql.

** Affects: libapache-mod-auth-mysql (Ubuntu)
     Importance: Undecided
         Status: Incomplete


** Tags: gutsy
-- 
gutsy does not have a working apache+mysql authentication solution
https://bugs.launchpad.net/bugs/150649
You received this bug notification because you are a member of Ubuntu Server Team, which is a direct subscriber.



More information about the Ubuntu-server-bugs mailing list