tag 323789 +security thanks Hi!
mod_auth_shadow is an apache module which lets you perform HTTP authentication against /etc/shadow. Whether it should act for certain location or directory, is controled with AuthShadow on/off directive. However, it seems that one of the handlers mistakenly does not check the status of this directive, which means that mod_auth_shadow always runs for locations which have "require group <somegroup>" specified. This was reported upstream by someone over a year ago http://sourceforge.net/tracker/index.php?func=detail&aid=1008478&group_id=11283&atid=311283 Since authorization is involved, this bug is security-related. If the user were lucky, and /etc/{group,shadow} gave access to some group, but other authentication mechanism didn't, then this would mean granting them access unintentionally. I have prepared packages which seem to work for me and asked the bug submitter to test them. I also posted the patch to the SF patch forum, and forwarded it upstream, which might get some more testing. The preliminary sid packages are at deb http://people.debian.org/~porridge/mod-auth-shadow-test/ ./ Either way, this patch inevitably changes the package behavior, since now an explicit "AuthShadow on" is needed also with "require group <...>". I wonder whether I should add a NEWS.Debian note... I think that an advisory should be prepared. In such case, the behavior change should be warned about in the advisory as well. please let me know what you think, Marcin -- Marcin Owsiany <[EMAIL PROTECTED]> http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
signature.asc
Description: Digital signature
