[Bug 150649] [NEW] gutsy does not have a working apache+mysql authentication solution
Launchpad Bug Tracker
150649 at bugs.launchpad.net
Wed Dec 3 14:42:03 GMT 2008
You have been subscribed to a public bug by Julien Rottenberg (jrottenberg):
Binary package hint: libapache2-mod-auth-mysql
As of Mon Oct 8 17:08:24 EEST 2007, there is no working solution to
authenticate with mysql from apache. This is a serious problem that
might hinder migration to gutsy in many sites.
I have to file this bug against two packages as there are two possible solutions for mysql authentication, *neither of which work*:
1 [RECOMMENDED by Apache Foundation] mod_authn_dbd
(http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html) -- libapr1 doesn't contain a mysql driver, being entirely unusable (see detailed report at bug #150651)
2 [DEPRECATED] libapache2-mod-auth-mysql
doesn't honour the AuthBasicAuthoritative Off directive and doesn't work. Details follow
Versions:
-------------
Updated Gutsy beta release.
apache2-mpm-prefork 2.2.4-3build1
libapache2-mod-auth-mysql 4.3.9-4
Setup:
-------------
a2enmod auth_mysql
virtual host conf:
<Location /mysqlauth>
AuthName "mysql-auth test"
AuthType Basic
AuthBasicAuthoritative Off
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_DB apache_auth_test
AuthMySQL_User authtestuser
AuthMySQL_Password authtestpassword
AuthMySQL_Password_Table auth
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
Auth_MySQL_Encryption_Types MySQL
# AuthUserFile /dev/null or /var/www/empty -- enabling this results in stack smashing
Require valid-user
</Location>
db setup:
DROP database IF EXISTS apache_auth_test;
create database apache_auth_test;
use apache_auth_test;
create table auth ( username char(25) not null,
passwd char(25), primary key (username) );
insert into auth values ('somebody', PASSWORD('random'));
grant all privileges on apache_auth_test.* to authtestuser at localhost
identified by 'authtestpassword';
Result:
-------------
1. Without AuthUserFile directive:
[Mon Oct 08 20:58:18 2007] [error] Internal error: pcfg_openfile() called with NULL filename
[Mon Oct 08 20:58:18 2007] [error] [client 213.35.160.166] (9)Bad file descriptor: Could not open password file: (null)
*** stack smashing detected ***: /usr/sbin/apache2 terminated
[Mon Oct 08 20:58:18 2007] [notice] child pid 4834 exit signal Aborted (6)
2. With either
AuthUserFile directive that points to a empty file (e.g. /dev/null)
or
AuthUserFile directive that points to a htpasswd file that does not contain the user name (e.g. trying with foo, but htapsswd file contains only bar):
*** stack smashing detected ***: /usr/sbin/apache2 terminated
[Mon Oct 08 16:57:05 2007] [notice] child pid 4250 exit signal Aborted (6)
3. With AuthUserFile directive that points to a htpasswd file that contains the user name (e.g. trying with foo and htpasswd file contains foo):
authentication succeeds, but database authentication is ignored
Conclusion:
-------------
1. AuthBasicAuthoritative Off is not honoured,
2. 'stack smashing detected' looks like a serious bug in libapache2-mod-auth-mysql.
** Affects: libapache-mod-auth-mysql (Ubuntu)
Importance: Undecided
Status: Incomplete
** Tags: gutsy
--
gutsy does not have a working apache+mysql authentication solution
https://bugs.launchpad.net/bugs/150649
You received this bug notification because you are a member of Ubuntu Server Team, which is a direct subscriber.
More information about the Ubuntu-server-bugs
mailing list