[Secure-testing-team] mod-auth-shadow bug 323789

[Marcin Owsiany]

tag 323789 +security
thanks

Hi!

mod_auth_shadow is an apache module which lets you perform HTTP
authentication against /etc/shadow. Whether it should act for certain
location or directory, is controled with AuthShadow on/off directive.

However, it seems that one of the handlers mistakenly does not check the
status of this directive, which means that mod_auth_shadow always runs
for locations which have "require group <somegroup>" specified.

This was reported upstream by someone over a year ago
http://sourceforge.net/tracker/index.php?func=detail&aid=1008478&group_id=11283&atid=311283

Since authorization is involved, this bug is security-related. If the
user were lucky, and /etc/{group,shadow} gave access to some group, but
other authentication mechanism didn't, then this would mean granting
them access unintentionally.

I have prepared packages which seem to work for me and asked the bug
submitter to test them. I also posted the patch to the SF patch forum,
and forwarded it upstream, which might get some more testing.
The preliminary sid packages are at
deb http://people.debian.org/~porridge/mod-auth-shadow-test/ ./

Either way, this patch inevitably changes the package behavior, since
now an explicit "AuthShadow on" is needed also with "require group
<...>". I wonder whether I should add a NEWS.Debian note...

I think that an advisory should be prepared. In such case, the behavior
change should be warned about in the advisory as well.

please let me know what you think,

Marcin
-- 
Marcin Owsiany <porridge at debian.org>             http://marcin.owsiany.pl/
GnuPG: 1024D/60F41216  FE67 DA2D 0ACA FC5E 3F75  D6F6 3A0D 8AA0 60F4 1216
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050922/7b7c822a/attachment.pgp