Ubuntu
apache2 package

authzprovideralias-defined authz provider can't be used in Ubuntu14

Bug #1529355 reported by Hikari Kobayashi
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
High
Unassigned
Trusty
Fix Released
Undecided
Andreas Hasenack

Bug Description

[Impact]
AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.

Sites affected by this bug might be leaking pages that were denied previously, because access is just granted.

[Test Case]

On trusty:
# install apache
sudo apt update
sudo apt install apache2 -y

# Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines:

        <Directory "/var/www/html">
             <RequireAll>
                 Require not blacklisted-ips
                 Require all granted
             </RequireAll>
        </Directory>

# create the file /etc/apache2/conf-enabled/authz.conf with this content:
<AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
</AuthzProviderAlias>

# restart apache2:
sudo service apache2 restart

# access localhost, which should work just fine
wget localhost -O /dev/null

# observe that /var/log/apache2/error.log contains a message like this:
AH02305: no alias provider found for 'blacklisted-ips' (BUG?)

# /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
"GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"

That, and the successful request, indicate the bug.

With an updated apache2 package, the following happens:

# /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status:

[client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/

# same for /var/log/apache2/access.log, showing a 403 being returned to the client:

"GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"

# and wget fails as it should:

$ wget localhost
--2018-11-24 16:50:28-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2018-11-24 16:50:28 ERROR 403: Forbidden.

[Regression Potential]
The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.
That being said, fixing the incorrect behavior might catch some admins by surprise: they might have been letting pages be accessed that shouldn't have, without realizing it. Or the other way around. After the upgrade, the access rule will be correctly enforced.

[Other Info]
Not at this time.

[Original Description]

Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
And I found the problem of Apache 2.4.7.
It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
So I can't set the systemuser's account to belong to Multiple organizations.
Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
I want you to make the same correspondence to Apache2.4.7.

Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870

See original description

Related branches

~ahasenack/ubuntu/+source/apache2:trusty-apache-authzalias-1529355
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 62 lines (+40/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/AuthzProviderAlias-visibility.patch (+32/-0)
debian/patches/series (+1/-0)
Revision history for this message
Hikari Kobayashi (hikari-kobayashi) wrote :

Please put in this patch, right now!
https://bz.apache.org/bugzilla/show_bug.cgi?id=56870

description: updated
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Thank you Hikari Kobayashi for reporting the issue and even doing the work identifying the patch.

This was backported to 2.4.11 and therefore obviously is also in 2.4.18.
Thereby Xenial and Wily are not affected.

Note: This is a regression 2.2.22 (precise) -> 2.4.7 (trusty) since migrating from mod_authn_alias to mod_authn_core.
Settign tags accordingly.

tags: added: regression-release trusty
Changed in apache2 (Ubuntu):
status: New → Triaged
importance: Undecided → High
farhan saleh robleh (farhn)
Changed in apache2 (Ubuntu):
assignee: nobody → farhan saleh robleh (farhn)
status: Triaged → Confirmed
Colin Watson (cjwatson)
Changed in apache2 (Ubuntu):
assignee: farhan saleh robleh (farhn) → nobody
status: Confirmed → Triaged
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

https://github.com/apache/httpd/commit/4f06dd51b464b66f956ae577f068b16486d3920b

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Confirmed the patch fixes the issue.

Without it /var/log/apache2/access.log reports this:
[Fri Nov 23 19:41:07.575706 2018] [authz_core:error] [pid 4855:tid 140320138327808] [client 10.0.100.1:56824] AH02305: no alias provider found for 'blacklisted-ips' (BUG?)

Simple config:
root@trusty-apache:/etc/apache2# cat conf-enabled/authorized.conf
<AuthzProviderAlias ip blacklisted-ips "10.0.100.1 10.10.0.50">
</AuthzProviderAlias>

And to the default vhost, I added this:
 <Directory "/var/www/html">
     <RequireAll>
         Require not blacklisted-ips
         Require all granted
     </RequireAll>
 </Directory>

Changed in apache2 (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+ref/trusty-apache-authzalias-1529355

Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
Christian Ehrhardt  (paelzer)
Changed in apache2 (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in apache2 (Ubuntu):
assignee: Andreas Hasenack (ahasenack) → nobody
status: In Progress → Fix Released
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Package uploaded to trusty-proposed, pending approval by the sru team.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Hikari, or anyone else affected,

Accepted apache2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apache2/2.4.7-1ubuntu4.21 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in apache2 (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-trusty
Revision history for this message
Andreas Hasenack (ahasenack) wrote :
Download full text (3.2 KiB)

trusty verification

First, reproducing the bug.

Package used:
root@trusty-apache2-1529355:~# apt-cache policy apache2
apache2:
  Installed: 2.4.7-1ubuntu4.20
  Candidate: 2.4.7-1ubuntu4.20
  Version table:
     2.4.10-1ubuntu1.1~ubuntu14.04.2 0
        100 http://br.archive.ubuntu.com/ubuntu/ trusty-backports/main amd64 Packages
 *** 2.4.7-1ubuntu4.20 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.7-1ubuntu4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

- wget works:
root@trusty-apache2-1529355:~# wget localhost -O /dev/null
--2019-01-09 12:53:09-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11510 (11K) [text/html]
Saving to: ‘/dev/null’

100%[========================================================================================================================================================================================>] 11,510 --.-K/s in 0s

2019-01-09 12:53:09 (143 MB/s) - ‘/dev/null’ saved [11510/11510]

error.log contains the bug line:
root@trusty-apache2-1529355:~# tail -n 1 /var/log/apache2/error.log
[Wed Jan 09 12:53:09.835097 2019] [authz_core:error] [pid 9272:tid 139970345383680] [client 127.0.0.1:34994] AH02305: no alias provider found for 'blacklisted-ips' (BUG?)

access.log shows normal access:
root@trusty-apache2-1529355:~# tail /var/log/apache2/access.log
127.0.0.1 - - [09/Jan/2019:12:53:09 +0000] "GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"

Now with the updated package:
root@trusty-apache2-1529355:~# apt-cache policy apache2
apache2:
  Installed: 2.4.7-1ubuntu4.21
  Candidate: 2.4.7-1ubuntu4.21
  Version table:
     2.4.10-1ubuntu1.1~ubuntu14.04.2 0
        100 http://br.archive.ubuntu.com/ubuntu/ trusty-backports/main amd64 Packages
 *** 2.4.7-1ubuntu4.21 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.7-1ubuntu4.20 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
     2.4.7-1ubuntu4 0
        500 http://br.archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

- wget fails, correctly:
root@trusty-apache2-1529355:~# wget localhost -O /dev/null
--2019-01-09 12:55:35-- http://localhost/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2019-01-09 12:55:35 ERROR 403: Forbidden.

error.log contains the forbidden message instead of the bug one:
[Wed Jan 09 12:55:35.360992 2019] [authz_core:error] [pid 9834:tid 139771624998656] [client 127.0.0.1:35014] AH01630: client denied by server configuration: /var/www/html/

access.log confirms the 403:
root@trusty-apache2-1529355:~# tail /var/log/apache2/access.log -n 1
127.0.0.1 - - [09/Jan/2019:12:55:35 +0000] "GE...

Read more...

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.7-1ubuntu4.21

---------------
apache2 (2.4.7-1ubuntu4.21) trusty; urgency=medium

  * d/p/AuthzProviderAlias-visibility.patch: Allow <AuthzProviderAlias>'es
    to be seen from auth stanzas under virtual hosts (LP: #1529355)

 -- Andreas Hasenack <email address hidden> Fri, 23 Nov 2018 17:45:20 -0200

Changed in apache2 (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for apache2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.