[Bug 1529355] Re: authzprovideralias-defined authz provider can't be used in Ubuntu14

Sat Nov 24 17:12:44 UTC 2018

** Description changed:

  [Impact]
  AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.

  Sites affected by this bug might be leaking pages that were denied
  previously, because access is just granted.

  [Test Case]

  On trusty:
  # install apache
  sudo apt update
  sudo apt install apache2 -y

  # Add this block to /etc/apache2/sites-enabled/000-default.conf between
  the VirtualHost lines:

          <Directory "/var/www/html">
               <RequireAll>
                   Require not blacklisted-ips
                   Require all granted
               </RequireAll>
          </Directory>

  # create the file /etc/apache2/conf-enabled/authz.conf with this content:
  <AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
  </AuthzProviderAlias>

  # restart apache2:
  sudo service apache2 restart

  # access localhost, which should work just fine
  wget localhost -O /dev/null

  # observe that /var/log/apache2/error.log contains a message like this:
  AH02305: no alias provider found for 'blacklisted-ips' (BUG?)

  # /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
  "GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"

  That, and the successful request, indicate the bug.

+ 
  With an updated apache2 package, the following happens:

- - /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:
- [client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/
- - same for /var/log/apache2/access.log, showing a 403 being returned to the client:
+ # /var/log/apache2/error.log no longer contains a line questioning
+ "blacklisted-ips", but instead logs a 403 status:
+ 
+ [client 127.0.0.1:53478] AH01630: client denied by server configuration:
+ /var/www/html/
+ 
+ 
+ # same for /var/log/apache2/access.log, showing a 403 being returned to the client:
+ 
  "GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- - and wget fails:
+ 
+ 
+ # and wget fails as it should:
+ 
  $ wget localhost
  --2018-11-24 16:50:28--  http://localhost/
  Resolving localhost (localhost)... 127.0.0.1
  Connecting to localhost (localhost)|127.0.0.1|:80... connected.
  HTTP request sent, awaiting response... 403 Forbidden
  2018-11-24 16:50:28 ERROR 403: Forbidden.

  [Regression Potential]
+ The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.

-  * discussion of how regressions are most likely to manifest as a result
- of this change.
- 
-  * It is assumed that any SRU candidate patch is well-tested before
-    upload and has a low overall risk of regression, but it's important
-    to make the effort to think about what ''could'' happen in the
-    event of a regression.
- 
-  * This both shows the SRU team that the risks have been considered,
-    and provides guidance to testers in regression-testing the SRU.

  [Other Info]
- 
-  * Anything else you think is useful to include
-  * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board
-  * and address these questions in advance
+ Not at this time.

  [Original Description]

  Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
  And I found the problem of Apache 2.4.7.
  It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
  So I can't set the systemuser's account to belong to Multiple organizations.
  Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
  I want you to make the same correspondence to Apache2.4.7.

  Please put in this patch, right now!
  https://bz.apache.org/bugzilla/show_bug.cgi?id=56870

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1529355

Title:
  authzprovideralias-defined authz provider can't be used in Ubuntu14

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1529355/+subscriptions