You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Keith Turner <ap...@keeff.com> on 1999/06/08 19:10:54 UTC
mod_setenvif/4545: No way to limit access based on REMOTE_IDENT RFC1413 identd IdentityCheck
>Number: 4545
>Category: mod_setenvif
>Synopsis: No way to limit access based on REMOTE_IDENT RFC1413 identd IdentityCheck
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: apache
>State: open
>Class: change-request
>Submitter-Id: apache
>Arrival-Date: Tue Jun 8 10:20:01 PDT 1999
>Last-Modified:
>Originator: apache_pr@keeff.com
>Organization:
apache
>Release: 1.3.6
>Environment:
gcc version 2.8.1
SunOS mrmean 5.5.1 Generic sun4m sparc SUNW,SPARCstation-10
>Description:
No documented or predictable combination of require, allow, deny or SetEnvIf
achieves access control based on the response from the RFC1413 IdentityCheck.
Congratulations for reading this far - I appreciate your openmindedness.
Yes, I know that ident can be spoofed by anyone with administrator privileges
or with network level access. Yes, I know that ident is of limited value on
the internet. However, it remains that ident is a useful technology on an
intranet or extranet. Limitations on it's use should be in the documentation
not the software.
Obviously the facility should be documented as only worth using in combination
with host address based access control between hosts you control over networks
you control. I will undertake to write the required documentation if that will
improve the chances of the patch being adopted (and if I can grok the format).
The only problem I can see with this change is with the special logname
"unknown". There is no way outside the core logname code to distinguish between
<no-reply-from identd> and "unknown" sent by identd. It would be nice to move
the "unknown" string constant to the logging modules, or to make it user-
definable. However, if this potential source of confusion is ignored, the
command sequence here works with the patch below.
>How-To-Repeat:
In httpd.conf:
SetEnvIf Remote_Ident unknown noidentsupplied
deny from env=noidentsupplied
>Fix:
A patch to mod_setenvif.c achieves a fairly good fix, but leaves the problem
with the "unknown" special value unanswered:
---cut-here-and-there---
*** apache_1.3.6/src/modules/standard/mod_setenvif.c Fri Jan 1 11:05:13 1999
--- mod_setenvif.c Mon Jun 7 12:55:54 1999
***************
*** 93,96 ****
--- 93,98 ----
* remote_host Remote host name (if available)
* remote_addr Remote IP address
+ * remote_ident Remote RFC1413 (NULL if IdentityCheck Off,
+ * "unknown" if no reply)
* remote_user Remote authenticated user (if any)
* request_method Request method (GET, POST, etc)
***************
*** 124,127 ****
--- 126,130 ----
SPECIAL_REMOTE_ADDR,
SPECIAL_REMOTE_HOST,
+ SPECIAL_REMOTE_IDENT,
SPECIAL_REMOTE_USER,
SPECIAL_REQUEST_URI,
***************
*** 233,236 ****
--- 236,242 ----
new->special_type = SPECIAL_REMOTE_HOST;
}
+ else if (!strcasecmp(fname, "remote_ident")) {
+ new->special_type = SPECIAL_REMOTE_IDENT;
+ }
else if (!strcasecmp(fname, "remote_user")) {
new->special_type = SPECIAL_REMOTE_USER;
***************
*** 347,350 ****
--- 353,359 ----
REMOTE_NAME);
break;
+ case SPECIAL_REMOTE_IDENT:
+ val = ap_get_remote_logname(r);
+ break;
case SPECIAL_REMOTE_USER:
val = r->connection->user;
---cut-here-and-there---
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, you need]
[to include <ap...@Apache.Org> in the Cc line and make sure the]
[subject line starts with the report component and number, with ]
[or without any 'Re:' prefixes (such as "general/1098:" or ]
["Re: general/1098:"). If the subject doesn't match this ]
[pattern, your message will be misfiled and ignored. The ]
["apbugs" address is not added to the Cc line of messages from ]
[the database automatically because of the potential for mail ]
[loops. If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request from a ]
[developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]