[Bug 1529355] Re: authzprovideralias-defined authz provider can't be used in Ubuntu14

Mon Nov 26 12:01:13 UTC 2018

** Description changed:

  [Impact]
  AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy.

  Sites affected by this bug might be leaking pages that were denied
  previously, because access is just granted.

  [Test Case]

  On trusty:
  # install apache
  sudo apt update
  sudo apt install apache2 -y

  # Add this block to /etc/apache2/sites-enabled/000-default.conf between
  the VirtualHost lines:

          <Directory "/var/www/html">
               <RequireAll>
                   Require not blacklisted-ips
                   Require all granted
               </RequireAll>
          </Directory>

  # create the file /etc/apache2/conf-enabled/authz.conf with this content:
  <AuthzProviderAlias ip blacklisted-ips "127.0.0.1">
  </AuthzProviderAlias>

  # restart apache2:
  sudo service apache2 restart

  # access localhost, which should work just fine
  wget localhost -O /dev/null

  # observe that /var/log/apache2/error.log contains a message like this:
  AH02305: no alias provider found for 'blacklisted-ips' (BUG?)

  # /var/log/apache2/access.log shows a normal GET request for /, which was allowed:
  "GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)"

  That, and the successful request, indicate the bug.

- 
  With an updated apache2 package, the following happens:

  # /var/log/apache2/error.log no longer contains a line questioning
  "blacklisted-ips", but instead logs a 403 status:

  [client 127.0.0.1:53478] AH01630: client denied by server configuration:
  /var/www/html/

- 
- # same for /var/log/apache2/access.log, showing a 403 being returned to the client:
+ # same for /var/log/apache2/access.log, showing a 403 being returned to
+ the client:

  "GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)"
- 

  # and wget fails as it should:

  $ wget localhost
  --2018-11-24 16:50:28--  http://localhost/
  Resolving localhost (localhost)... 127.0.0.1
  Connecting to localhost (localhost)|127.0.0.1|:80... connected.
  HTTP request sent, awaiting response... 403 Forbidden
  2018-11-24 16:50:28 ERROR 403: Forbidden.

  [Regression Potential]
  The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now.
- 
+ That being said, fixing the incorrect behavior might catch some admins by surprise: they might have been letting pages be accessed that shouldn't have, without realizing it. Or the other way around. After the upgrade, the access rule will be correctly enforced.

  [Other Info]
  Not at this time.

  [Original Description]

  Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS,
  And I found the problem of Apache 2.4.7.
  It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider.
  So I can't set the systemuser's account to belong to Multiple organizations.
  Since Apacahe2.4.11 includes authzprovideralias-defined authz provider,
  I want you to make the same correspondence to Apache2.4.7.

  Please put in this patch, right now!
  https://bz.apache.org/bugzilla/show_bug.cgi?id=56870

-- 
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1529355

Title:
  authzprovideralias-defined authz provider can't be used in Ubuntu14

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1529355/+subscriptions