** Description changed: [Impact] AuthzProviderAlias are invisible to the authz provider inside a virtualhost stanza. This is a regression from hardy. Sites affected by this bug might be leaking pages that were denied previously, because access is just granted. [Test Case] On trusty: # install apache sudo apt update sudo apt install apache2 -y # Add this block to /etc/apache2/sites-enabled/000-default.conf between the VirtualHost lines: <Directory "/var/www/html"> <RequireAll> Require not blacklisted-ips Require all granted </RequireAll> </Directory> # create the file /etc/apache2/conf-enabled/authz.conf with this content: <AuthzProviderAlias ip blacklisted-ips "127.0.0.1"> </AuthzProviderAlias> # restart apache2: sudo service apache2 restart # access localhost, which should work just fine wget localhost -O /dev/null # observe that /var/log/apache2/error.log contains a message like this: AH02305: no alias provider found for 'blacklisted-ips' (BUG?) # /var/log/apache2/access.log shows a normal GET request for /, which was allowed: "GET / HTTP/1.1" 200 11820 "-" "Wget/1.15 (linux-gnu)" That, and the successful request, indicate the bug. - With an updated apache2 package, the following happens: # /var/log/apache2/error.log no longer contains a line questioning "blacklisted-ips", but instead logs a 403 status: [client 127.0.0.1:53478] AH01630: client denied by server configuration: /var/www/html/ - - # same for /var/log/apache2/access.log, showing a 403 being returned to the client: + # same for /var/log/apache2/access.log, showing a 403 being returned to + the client: "GET / HTTP/1.1" 403 492 "-" "Wget/1.15 (linux-gnu)" - # and wget fails as it should: $ wget localhost --2018-11-24 16:50:28-- http://localhost/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2018-11-24 16:50:28 ERROR 403: Forbidden. [Regression Potential] The patch was applied in apache 2.4.11. I looked for other commits after that trying to spot if there was a regression, but couldn't find any, and the same diff is present all the way up to what we have in disco now. - + That being said, fixing the incorrect behavior might catch some admins by surprise: they might have been letting pages be accessed that shouldn't have, without realizing it. Or the other way around. After the upgrade, the access rule will be correctly enforced. [Other Info] Not at this time. [Original Description] Recently I updated my server from Ubuntu 12.03 LTS to Ubuntu14.03 LTS, And I found the problem of Apache 2.4.7. It is thought that Apache2.4.7 doesn't include authzprovideralias-defined authz provider. So I can't set the systemuser's account to belong to Multiple organizations. Since Apacahe2.4.11 includes authzprovideralias-defined authz provider, I want you to make the same correspondence to Apache2.4.7. Please put in this patch, right now! https://bz.apache.org/bugzilla/show_bug.cgi?id=56870
-- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1529355 Title: authzprovideralias-defined authz provider can't be used in Ubuntu14 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1529355/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
