You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by brian dodds <br...@rm-r.net> on 2003/12/08 09:49:10 UTC

[users@httpd] apache ignoring AuthUserFile, checking shadow?

i've got a problem that's crept into an apache installation..
unfortunately i can't pinpoint a particular change that caused this
problem..  the version i'm running is now 1.3.28 with the php 4.1.2 and
mod_perl 1.28 extensions..  mod_auth seems to have broken at some
point, and i'm curious to find out if what i have is a configuration
issue, or something that needs to be fixed with a
reconfigure/recompile of the server software.. i know i'm not at the latest
versions of everything, and that's because i'm waiting to get the time
to test out an installation, rather than run apt-get and cross my
fingers - i've got a lot of traffic on this installation and can't afford
the downtime, and can't seem to find the time to recompile everything
and hope that fixes it without more information..

anyhow, the problem is that regardless of the contents of AuthUserFile,
users get refused access to .htaccess basic auth protected directories..
an investigation into the running thread shows that the .htaccess file
is being found a-ok, but the .htpasswd file isn't even queried:

17981 open("/home/bri/public_html/.htaccess", O_RDONLY|O_LARGEFILE) = 4
17981 read(4, "AuthUserFile /home/bri/public_html/.htpasswd\nAuthName
\"Realm\"\nAuthType Basic\n<Limit GET POST>\n    require valid-user\n
</Limit>\n", 4096) = 132
17981 read(4, "", 4096)                 = 0
17981 close(4)                          = 0
17981 open("/etc/shadow", O_RDONLY)     = -1 EACCES (Permission denied)
17981 write(15, "[Fri Dec  5 04:12:46 2003] [error] user bri not found:
/~bri/\n", 57) = 57

the open("/etc/shadow") line will repeat for as long as i try to log
in..  the .htpasswd file exists with the proper permissions for the
apache user to read the file..  if i allow the apache user to read the
shadow file (which i did for a very small period of time) it works and
i'm allowed in, provided i use a valid system user..

very odd.. i've tried to STFW for references to apache using
/etc/shadow, but it seems to be something that people are trying to make
it do, rather than trying to make it not do, as is my case..

anything popping out as obvious?

many thanks in advance,

bri..



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] apache ignoring AuthUserFile, checking shadow?

Posted by Joshua Slive <jo...@slive.ca>.

On Mon, 8 Dec 2003, brian dodds wrote:
> problem..  the version i'm running is now 1.3.28 with the php 4.1.2 and
> mod_perl 1.28 extensions..  mod_auth seems to have broken at some

> 17981 open("/home/bri/public_html/.htaccess", O_RDONLY|O_LARGEFILE) = 4
> 17981 read(4, "AuthUserFile /home/bri/public_html/.htpasswd\nAuthName
> \"Realm\"\nAuthType Basic\n<Limit GET POST>\n    require valid-user\n
> </Limit>\n", 4096) = 132

Oops.  The fact that you are using <Limit GET POST> tells me you haven't
been reading the documentation.  Please go read the docs for <Limit>.

> 17981 read(4, "", 4096)                 = 0
> 17981 close(4)                          = 0
> 17981 open("/etc/shadow", O_RDONLY)     = -1 EACCES (Permission denied)
> 17981 write(15, "[Fri Dec  5 04:12:46 2003] [error] user bri not found:
> /~bri/\n", 57) = 57
>
> the open("/etc/shadow") line will repeat for as long as i try to log
> in..  the .htpasswd file exists with the proper permissions for the
> apache user to read the file..  if i allow the apache user to read the
> shadow file (which i did for a very small period of time) it works and
> i'm allowed in, provided i use a valid system user..
>
> very odd.. i've tried to STFW for references to apache using
> /etc/shadow, but it seems to be something that people are trying to make
> it do, rather than trying to make it not do, as is my case..

Correct.  Apache (as distributed from apache.org) will never look up
passwords in the system password database.  Which leads me to believe you
have a modified apache or are using a third-party module that does this.
For example, the cobalt cube used to do this by default.

So, why don't you tell us exactly where you got apache from, and exactly
what modules you are using.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org