You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Abid Farooqui <fa...@tampabay.rr.com> on 2000/03/12 22:26:26 UTC

config/5862: Serious Bugs found using AuthUser and AuthGroup ...

>Number:         5862
>Category:       config
>Synopsis:       Serious Bugs found using AuthUser and AuthGroup ...
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Mar 12 13:30:00 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     farooqui@tampabay.rr.com
>Release:        1.3.6
>Organization:
apache
>Environment:
NT 4.0 Service Pack5
>Description:
Here is what I discovered ... 
An example of directory authentication from httpd.conf file looks something like this: 

"<Directory "D:/IBM HTTP Server/htdocs/protected/farooqui_enterprises/"> 
AllowOverride None 
Satisfy all 
AuthName "Farooqui Enterprises" 
AuthType Basic 
AuthGroupFile "d:/ibm http server/authentication/authg" 
AuthUserFile "D:/ibm http server/authentication/authi" 
<Limit GET POST>
require group "farooqui enterprises" 
</Limit>
</Directory> " 

Now the group "farooqui enterprises" has only one user in it ... say the username is "abc". The authi file for user
level authentication has 2 usernames in it ... "abc" and "def". Even though I specify Require group "farooqui
enterprises", I can still logon as user "def". This is not what I expected at all. 
I expected that only users in the group "farooqui enterprises" which in my example here would be the user "abc"
could logon and access that directory. User "def" should not have been able to access this directory at all. He has
nothing to do with group "farooqui enterprises" at all. Username "def" simply exists in the authi file ... which is the
name of the AuthUserFile. 
I tried searching for a similar problem but did not come up with something close 
enough for Apache on NT
>How-To-Repeat:
See above
>Fix:
It seems like require group "farooqui enterprises" is being completely ignored
and all users (regardless of what group they belong to even if they belong to any
group at all) in the AuthUserFile (in my example authi) can log in with correct userid 
and password. There may be something not clarified in the documentation. May be 
something is overwriting the require group and the docs are not explaining what it could be 
to the best of my knowledge.
>Release-Note:
>Audit-Trail:
>Unformatted:
 [In order for any reply to be added to the PR database, you need]
 [to include <ap...@Apache.Org> in the Cc line and make sure the]
 [subject line starts with the report component and number, with ]
 [or without any 'Re:' prefixes (such as "general/1098:" or      ]
 ["Re: general/1098:").  If the subject doesn't match this       ]
 [pattern, your message will be misfiled and ignored.  The       ]
 ["apbugs" address is not added to the Cc line of messages from  ]
 [the database automatically because of the potential for mail   ]
 [loops.  If you do not include this Cc, your reply may be ig-   ]
 [nored unless you are responding to an explicit request from a  ]
 [developer.  Reply only with text; DO NOT SEND ATTACHMENTS!     ]