You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Sander Temme <sc...@covalent.net> on 2002/10/03 08:22:18 UTC
Deny from hostname broken in 2.0 on MacOSX 10.2
Dear list,
On MacOSX 10.2 "Jaguar", hostname based access control is broken in Apache
2.0. This problem appears in the access tests of the perl-framework, where
any test that tests something like 'Deny from localhost' fails. I have since
determined that deny from any other hostname is broken as well.
This problem goes away when Apache 2.0 is configured to disable IPv6
support.
I have stepped through the code of a regular (IPv6-enabled) builda bit and
it appears that what comes back from accept(2) is an IPv6 address, which
apparently doesn't resolve correctly from mod_authz_host.c. Indeed, the
remote address information is eventually (sa_common.c:508) passed to
getnameinfo(3) which returns unsuccessfully with EAI_NONAME.
I'm not very familiar with IPv6, but I know that my DNS only has IPv4
adresses. Is there no fallback where it looks up based on the IPv4 address
when it can't find resolution for IPv6? Anyway. Very unfortunate that this
getnameinfo call borks on resolving the IPv6 version of localhost because
that's what makes the tests fail. I think, however, that this is a platform
error and not Apache-specific. As for reverse resolving IPv6 addresses in
general, I don't think any network I connect to on a regular basis is set up
for that. I have tried this on an IPv6-enabled FreeBSD box and all tests
pass. This one however has a line defining localhost as ::1 as well as one
for 127.0.0.1. Maybe I should try adding that to the Jaguar box. I don't
think I have tried access control from other host names on that FreeBSD box.
Could anyone opine on how serious this is and whether we should (could?)
disable IPv6 by default on Jaguar?
Thank you for your time,
S.
--
Covalent Technologies sctemme@covalent.net
Engineering group Voice: (415) 856 4214
303 Second Street #375 South Fax: (415) 856 4210
San Francisco CA 94107
PGP Fingerprint: 1E74 4E58 DFAC 2CF5 6A03 5531 AFB1 96AF B584 0AB1
=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================
Re: [PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Justin Erenkrantz <je...@apache.org>.
--On Thursday, October 3, 2002 9:46 AM -0400 Jeff Trawick
<tr...@attglobal.net> wrote:
> This patch disables IPv6 on Darwin. I think it is needed until there
> is a fix from Apple or we figure out that we're doing something wrong.
ISTR a thread on darwin-development about IPv6 and lookups being broken. I
don't have the details, but I *think* Apple is aware of this.
Does anyone else remember this thread? Or, am I confusing this with
something else? -- justin
Re: [PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Jeff Trawick <tr...@attglobal.net>.
Justin Erenkrantz <je...@apache.org> writes:
> --On Thursday, October 3, 2002 11:37 AM -0400 Jeff Trawick
> <tr...@attglobal.net> wrote:
>
> > I committed the patch as-is... somebody with recent autoconf can play
> > with the quotes later :)
>
> Actually, we can do better than this.
>
> If you pass NI_NAMEREQD to getnameinfo(), it will return an error code
> of 8 (forget the symbolic code).
understood, but that only serves to make the output from the test
program more obvious
> The bigger problem is that
> server/core.c:778 throws away the return code. (Note that your test
> program doesn't pass that, but apr_getnameinfo does.)
Setting remote_host to "" is supposed to indicate a name lookup
failure, right? and ap_get_remote_host() will return NULL in that
case... the caller of that needs to do the right thing.
Is mod_authz_host::find_allowdeny() doing the right thing when
ap_get_remote_host() fails? I guess it has to fail access since it
doesn't know whether or not the client is allowed or denied.
> We should be failing the lookups when we get an error back from
> getnameinfo(). Your test program modified to pass NI_NAMEREQD on
> Darwin:
>
> % ./gni_mapped
> look up via IPv4: 0/www.ibm.com
> look up via IPv6: 8/not found
>
> I'd rather we fixed that than disable IPv6 across the board on
> Darwin. That way, when it is fixed, we don't have to do anything.
> And, whenever we get an error from apr_getnameinfo(), we don't ignore
> it. -- justin
AFAICT, if we don't disable IPv6 or somehow add a Darwin kludge around
the call to getnameinfo(), the call to getnameinfo() will still fail
and the access checks will still not work properly. Nothing you
mention is going to make getnameinfo() work properly or work-around
the bug, so how are allow and deny going to work?
What have I missed?
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...
Re: [PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Justin Erenkrantz <je...@apache.org>.
--On Thursday, October 3, 2002 11:37 AM -0400 Jeff Trawick
<tr...@attglobal.net> wrote:
> I committed the patch as-is... somebody with recent autoconf can play
> with the quotes later :)
Actually, we can do better than this.
If you pass NI_NAMEREQD to getnameinfo(), it will return an error code of 8
(forget the symbolic code). The bigger problem is that server/core.c:778
throws away the return code. (Note that your test program doesn't pass
that, but apr_getnameinfo does.)
We should be failing the lookups when we get an error back from
getnameinfo(). Your test program modified to pass NI_NAMEREQD on Darwin:
% ./gni_mapped
look up via IPv4: 0/www.ibm.com
look up via IPv6: 8/not found
I'd rather we fixed that than disable IPv6 across the board on Darwin.
That way, when it is fixed, we don't have to do anything. And, whenever we
get an error from apr_getnameinfo(), we don't ignore it. -- justin
Re: [PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Jeff Trawick <tr...@attglobal.net>.
Sander Temme <sc...@covalent.net> writes:
> Seems to do the right thing here:
Thanks for testing...
> checking if APR supports IPv6... "no -- the platform has problems supporting
> IPv6"
those quotes suck, but it looks like that whole section of
configure.in does not agree with some level of autoconf w.r.t. quoting
I committed the patch as-is... somebody with recent autoconf can play
with the quotes later :)
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...
Re: [PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Sander Temme <sc...@covalent.net>.
> This patch disables IPv6 on Darwin. I think it is needed until there
> is a fix from Apple or we figure out that we're doing something wrong.
+1
Tested on:
Darwin shadow.local. 6.1 Darwin Kernel Version 6.1: Fri Sep 6 23:24:34 PDT
2002; root:xnu/xnu-344.2.obj~2/RELEASE_PPC Power Macintosh powerpc
Seems to do the right thing here:
Checking for IPv6 Networking support...
checking for library containing getaddrinfo... none required
checking for library containing gai_strerror... none required
checking for library containing getnameinfo... none required
checking for gai_strerror... yes
checking for working getaddrinfo... yes
checking for negative error codes for getaddrinfo... no
checking for working getnameinfo... yes
checking for sockaddr_in6... yes
checking if APR supports IPv6... "no -- the platform has problems supporting
IPv6"
S.
--
Covalent Technologies sctemme@covalent.net
Engineering group Voice: (415) 856 4214
303 Second Street #375 South Fax: (415) 856 4210
San Francisco CA 94107
PGP Fingerprint: 1E74 4E58 DFAC 2CF5 6A03 5531 AFB1 96AF B584 0AB1
=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================
[PATCH] Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Jeff Trawick <tr...@attglobal.net>.
This patch disables IPv6 on Darwin. I think it is needed until there
is a fix from Apple or we figure out that we're doing something wrong.
This patch manages to avoid screwing up IPv6 detection on Linux, but
that is about all I can say about it.
Index: configure.in
===================================================================
RCS file: /home/cvs/apr/configure.in,v
retrieving revision 1.483
diff -u -r1.483 configure.in
--- configure.in 22 Sep 2002 19:26:41 -0000 1.483
+++ configure.in 3 Oct 2002 13:39:44 -0000
@@ -1748,6 +1748,17 @@
fi ],
[ user_disabled_ipv6=0 ] )
+case $host in
+ *apple-darwin*)
+ dnl # It appears that Jaguar has all the right features, but
+ dnl # getnameinfo() fails to find the hostname for a mapped
+ dnl # address.
+ broken_ipv6=1
+ ;;
+ *)
+ broken_ipv6=0
+esac
+
AC_SEARCH_LIBS(getaddrinfo, inet6)
AC_SEARCH_LIBS(gai_strerror, inet6)
AC_SEARCH_LIBS(getnameinfo, inet6)
@@ -1762,19 +1773,23 @@
if test "$user_disabled_ipv6" = 1; then
AC_MSG_RESULT("no -- disabled by user")
else
- if test "x$have_sockaddr_in6" = "x1"; then
- if test "x$ac_cv_working_getaddrinfo" = "xyes"; then
- if test "x$ac_cv_working_getnameinfo" = "xyes"; then
- have_ipv6="1"
- AC_MSG_RESULT("yes")
+ if test "x$broken_ipv6" = "x0"; then
+ if test "x$have_sockaddr_in6" = "x1"; then
+ if test "x$ac_cv_working_getaddrinfo" = "xyes"; then
+ if test "x$ac_cv_working_getnameinfo" = "xyes"; then
+ have_ipv6="1"
+ AC_MSG_RESULT("yes")
+ else
+ AC_MSG_RESULT("no -- no getnameinfo")
+ fi
else
- AC_MSG_RESULT("no -- no getnameinfo")
+ AC_MSG_RESULT("no -- no working getaddrinfo")
fi
else
- AC_MSG_RESULT("no -- no working getaddrinfo")
+ AC_MSG_RESULT("no -- no sockaddr_in6");
fi
else
- AC_MSG_RESULT("no -- no sockaddr_in6");
+ AC_MSG_RESULT("no -- the platform has problems supporting IPv6");
fi
fi
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...
Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Sander Temme <sc...@covalent.net>.
> Sander Temme <sc...@covalent.net> writes:
>
>> Looks like it does the right thing:
>
> no, look how it bungled finding the hostname when passed a mapped
> address (like we would get back from accept):
Argh. Goes to prove that I shouldn't get up in the middle of the night to do
stuff like that.
S.
--
Covalent Technologies sctemme@covalent.net
Engineering group Voice: (415) 856 4214
303 Second Street #375 South Fax: (415) 856 4210
San Francisco CA 94107
PGP Fingerprint: 1E74 4E58 DFAC 2CF5 6A03 5531 AFB1 96AF B584 0AB1
=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================
Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Jeff Trawick <tr...@attglobal.net>.
Sander Temme <sc...@covalent.net> writes:
> Looks like it does the right thing:
no, look how it bungled finding the hostname when passed a mapped
address (like we would get back from accept):
> [MonaLisa:~/projects/ipv6test] sctemme% ./gni_mapped
> look up via IPv4: 0/www.ibm.com
> look up via IPv6: 0/::ffff:812a:1263
> [MonaLisa:~/projects/ipv6test] sctemme%
Beyond AIX and Linux which I tried before, it also works correctly on
FreeBSD 4.6 (I had to add <sys/types.h> to get it to compile), Solaris
8, and Tru64.
Apache/APR needs the second lookup to work correctly, which I think
is fair. So I think we need to change APR to disable IPv6 support on
Darwin and we need a note the requirement for --disable-ipv6 in the
apply_to_xxx directories for existing Apache releases.
When this gets resolved, then we can check for specific Darwin levels
that are known to work. We could possibly code a work-around in APR
(convert mapped addresses to pure IPv4 before calling getnameinfo()),
but unless somebody really has to have IPv6 right now it may be better
to wait for something official from Apple instead of risk bungling the
work-around and making it more confusing.
(Alternatively, I could be really disoriented but it doesn't seem that
way at the moment.)
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...
Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Dirk-Willem van Gulik <di...@webweaving.org>.
> > http://www.apache.org/~trawick/gni_mapped.c
> > and see what happens? It should print
> >
> > look up via IPv4: 0/www.ibm.com
> > look up via IPv6: 0/www.ibm.com
>
[dyn-205:~/tmp/g] dirkx% gcc gni_mapped.c
gni_mapped.c: In function `main':
gni_mapped.c:35: warning: implicit declaration of function `strcpy'
[dyn-205:~/tmp/g] dirkx% ./a.out
look up via IPv4: 0/www.ibm.com
look up via IPv6: 0/::ffff:812a:1263
[dyn-205:~/tmp/g] dirkx%
On Darwin dyn-205.leiden.webweaving.org 6.1 Darwin Kernel Version 6.1: Fri
Sep 6 23:24:34 PDT 2002; root:xnu/xnu-344.2.obj~2/RELEASE_PPC Power
Macintosh powerpc
Dw
Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Sander Temme <sc...@covalent.net>.
>> I have stepped through the code of a regular (IPv6-enabled) builda bit and
>> it appears that what comes back from accept(2) is an IPv6 address, which
>> apparently doesn't resolve correctly from mod_authz_host.c. Indeed, the
>> remote address information is eventually (sa_common.c:508) passed to
>> getnameinfo(3) which returns unsuccessfully with EAI_NONAME.
>
> Can you or somebody else with Jaguar try this program
>
> http://www.apache.org/~trawick/gni_mapped.c
>
> and see what happens? It should print
>
> look up via IPv4: 0/www.ibm.com
> look up via IPv6: 0/www.ibm.com
Looks like it does the right thing:
[MonaLisa:~/projects/ipv6test] sctemme% curl -O
http://www.apache.org/~trawick/gni_mapped.c
% Total % Received % Xferd Average Speed Time
Curr.
Dload Upload Total Current Left
Speed
100 1090 100 1090 0 0 10095 0 0:00:00 0:00:00 0:00:00
0
[MonaLisa:~/projects/ipv6test] sctemme% gcc -o gni_mapped gni_mapped.c
[MonaLisa:~/projects/ipv6test] sctemme% file gni_mapped
gni_mapped: Mach-O executable ppc
[MonaLisa:~/projects/ipv6test] sctemme% ./gni_mapped
look up via IPv4: 0/www.ibm.com
look up via IPv6: 0/::ffff:812a:1263
[MonaLisa:~/projects/ipv6test] sctemme%
S.
--
Covalent Technologies sctemme@covalent.net
Engineering group Voice: (415) 856 4214
303 Second Street #375 South Fax: (415) 856 4210
San Francisco CA 94107
PGP Fingerprint: 1E74 4E58 DFAC 2CF5 6A03 5531 AFB1 96AF B584 0AB1
=======================================================
This email message is for the sole use of the intended recipient(s) and may
contain confidential and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies
of the original message
=======================================================
Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Jeff Trawick <tr...@attglobal.net>.
Sander Temme <sc...@covalent.net> writes:
> I have stepped through the code of a regular (IPv6-enabled) builda bit and
> it appears that what comes back from accept(2) is an IPv6 address, which
> apparently doesn't resolve correctly from mod_authz_host.c. Indeed, the
> remote address information is eventually (sa_common.c:508) passed to
> getnameinfo(3) which returns unsuccessfully with EAI_NONAME.
Can you or somebody else with Jaguar try this program
http://www.apache.org/~trawick/gni_mapped.c
and see what happens? It should print
look up via IPv4: 0/www.ibm.com
look up via IPv6: 0/www.ibm.com
(tested on Linux with glibc 2.1.2 and AIX 4.3.3 with recent
maintenance).
The lookup via IPv6 uses a mapped address like we'd get back from
accept() when a client connects over IPv4 to an IPv6 listening
socket.
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...
Re: Deny from hostname broken in 2.0 on MacOSX 10.2
Posted by Jeff Trawick <tr...@attglobal.net>.
Sander Temme <sc...@covalent.net> writes:
> On MacOSX 10.2 "Jaguar", hostname based access control is broken in Apache
> 2.0. This problem appears in the access tests of the perl-framework, where
> any test that tests something like 'Deny from localhost' fails. I have since
> determined that deny from any other hostname is broken as well.
>
> This problem goes away when Apache 2.0 is configured to disable IPv6
> support.
>
> I have stepped through the code of a regular (IPv6-enabled) builda bit and
> it appears that what comes back from accept(2) is an IPv6 address, which
> apparently doesn't resolve correctly from mod_authz_host.c. Indeed, the
> remote address information is eventually (sa_common.c:508) passed to
> getnameinfo(3) which returns unsuccessfully with EAI_NONAME.
I guess getnameinfo() isn't dealing with IPv6-mapped IPv4 addresses
(IPv6 addresses that print as ::FFFF:63.251.56.142, where the
low-order word is simply the IPv4 address and the next two bytes
are FFFF)?
Dang, I haven't yet brought myself to fork over the $129.00 to upgrade
to Jaguar or I could see for myself :(
This is the general idea of what should happen:
getaddrinfo af_unspec www.ibm.com
Getaddrinfo results:
IP Addr: 129.42.16.99
Family: 2
Flags: 0
Port: 0
IP Addr: 129.42.17.99
Family: 2
Flags: 0
Port: 0
IP Addr: 129.42.18.99
Family: 2
Flags: 0
Port: 0
IP Addr: 129.42.19.99
Family: 2
Flags: 0
Port: 0
getaddrinfo www.ibm.com
getnameinfo ::ffff:129.42.19.99
Getnameinfo results:
Hostname: "www.ibm.com"
> Could anyone opine on how serious this is and whether we should (could?)
> disable IPv6 by default on Jaguar?
very serious
yes, we could disable IPv6 by default on Jaguar/Darwin
I'd love to play with it to make sure it isn't Apache or APR that is
misbehaving or otherwise contributing to the breakage. I'll try to
send you a test program to run to make sure I understand what is going
on.
Darn!
--
Jeff Trawick | trawick@attglobal.net
Born in Roswell... married an alien...