[Bug 1529355] Re: authzprovideralias-defined authz provider can't be used in Ubuntu14
Andreas Hasenack
andreas at canonical.com
Sat Nov 24 16:52:30 UTC 2018
** Description changed:
[Impact]
+ AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
- * An explanation of the effects of the bug on users and
+ * An explanation of the effects of the bug on users and
- * justification for backporting the fix to the stable release.
+ * justification for backporting the fix to the stable release.
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ * In addition, it is helpful, but not required, to include an
+ explanation of how the upload fixes this bug.
[Test Case]
- * detailed instructions how to reproduce the bug
+ On trusty:
+ # install apache
+ sudo apt update
+ sudo apt install apache2 -y
- * these should allow someone who is not familiar with the affected
- package to reproduce the bug and verify that the updated package fixes
- the problem.
+ # Add this block to /etc/apache2/sites-enabled/000-default.conf between
+ the VirtualHost lines:
+
+ <Directory "/var/www/html">
+ <RequireAll>
+ Require not blacklisted-ips
+ Require all granted
+ </RequireAll>
+ </Directory>
+
+ # create the file /etc/apache2/conf-enabled/authz.conf with this content:
+ <AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
+ </AuthzProviderAlias>
+
+ # restart apache2:
+ sudo service apache2 restart
+
+ # access localhost, which should work just fine
+ wget localhost -O /dev/null
+
+ # observe that /var/log/apache2/error.log contains a message like this:
+ AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
+
+ # /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
+ "GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
+
+ That, and the successful request, indicate the bug.
+
+ With an updated apache2 package, the following happens:
+
+ - /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
+ [client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
+ - same for /var/log/apache2/access.log, showing a 403 being returned to the client:
+ "GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
+ - and wget fails:
+ $ wget localhost
+ --2018-11-24 16:50:28-- http://localhost/
+ Resolving localhost (localhost)... 127.0.0.1
+ Connecting to localhost (localhost)|127.0.0.1|:80... connected.
+ HTTP request sent, awaiting response... 403 Forbidden
+ 2018-11-24 16:50:28 ERROR 403: Forbidden.
+
[Regression Potential]
- * discussion of how regressions are most likely to manifest as a result
+ * discussion of how regressions are most likely to manifest as a result
of this change.
- * It is assumed that any SRU candidate patch is well-tested before
- upload and has a low overall risk of regression, but it's important
- to make the effort to think about what ''could'' happen in the
- event of a regression.
+ * It is assumed that any SRU candidate patch is well-tested before
+ upload and has a low overall risk of regression, but it's important
+ to make the effort to think about what ''could'' happen in the
+ event of a regression.
- * This both shows the SRU team that the risks have been considered,
- and provides guidance to testers in regression-testing the SRU.
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
[Other Info]
-
- * Anything else you think is useful to include
- * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
- * and address these questions in advance
+ * Anything else you think is useful to include
+ * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
+ * and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870
** Description changed:
[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.
- * An explanation of the effects of the bug on users and
-
- * justification for backporting the fix to the stable release.
-
- * In addition, it is helpful, but not required, to include an
- explanation of how the upload fixes this bug.
+ Sites affected by this bug might be leaking pages that were denied
+ previously, because access is just granted.
[Test Case]
On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y
# Add this block to /etc/apache2/sites-enabled/000-default.conf between
the VirtualHost lines:
- <Directory "/var/www/html">
- <RequireAll>
- Require not blacklisted-ips
- Require all granted
- </RequireAll>
- </Directory>
+ <Directory "/var/www/html">
+ <RequireAll>
+ Require not blacklisted-ips
+ Require all granted
+ </RequireAll>
+ </Directory>
# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>
# restart apache2:
sudo service apache2 restart
# access localhost, which should work just fine
wget localhost -O /dev/null
# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)
# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"
That, and the successful request, indicate the bug.
With an updated apache2 package, the following happens:
- /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
- same for /var/log/apache2/access.log, showing a 403 being returned to the client:
"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- and wget fails:
- $ wget localhost
+ $ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.
-
[Regression Potential]
* discussion of how regressions are most likely to manifest as a result
of this change.
* It is assumed that any SRU candidate patch is well-tested before
upload and has a low overall risk of regression, but it's important
to make the effort to think about what ''could'' happen in the
event of a regression.
* This both shows the SRU team that the risks have been considered,
and provides guidance to testers in regression-testing the SRU.
[Other Info]
* Anything else you think is useful to include
* Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
* and address these questions in advance
[Original Description]
Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.
Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1529355
Title:
authzprovideralias-defined authz provider can't be used in Ubuntu14
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1529355/+subscriptions
More information about the Ubuntu-server-bugs
mailing list