tag 323789 +security
thanks
Hi!
mod_auth_shadow is an apache module which lets you perform HTTP
authentication against /etc/shadow. Whether it should act for certain
location or directory, is controled with AuthShadow on/off directive.
However, it seems that one of the handlers mistakenly does not check the
status of this directive, which means that mod_auth_shadow always runs
for locations which have "require group <somegroup>" specified.
This was reported upstream by someone over a year ago
http://sourceforge.net/tracker/index.php?func=detail&aid=1008478&group_id=11283&atid=311283
Since authorization is involved, this bug is security-related. If the
user were lucky, and /etc/{group,shadow} gave access to some group, but
other authentication mechanism didn''t, then this would mean granting
them access unintentionally.
I have prepared packages which seem to work for me and asked the bug
submitter to test them. I also posted the patch to the SF patch forum,
and forwarded it upstream, which might get some more testing.
The preliminary sid packages are at
deb http://people.debian.org/~porridge/mod-auth-shadow-test/ ./
Either way, this patch inevitably changes the package behavior, since
now an explicit "AuthShadow on" is needed also with "require
group
<...>". I wonder whether I should add a NEWS.Debian note...
I think that an advisory should be prepared. In such case, the behavior
change should be warned about in the advisory as well.
please let me know what you think,
Marcin
--
Marcin Owsiany <porridge@debian.org> http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050922/7b7c822a/attachment.pgp