Bug#219774: Doesn't help
#include <hallo.h>
* Fabio Massimo Di Nitto [Sat, Nov 15 2003, 09:24:49AM]:
> On Fri, 14 Nov 2003, Michael Holzt wrote:
>
> > > Don't be stupid.
> >
> > I'm not stupid. Broken authorisation handling is in fact a security problem,
> > and makes the package unusable to a very high percentage of users. We don't
> > know for sure if this problem doesn't introduce other security problems as
> > well.
>
> First of all none of you have been providing enough information about your
> setup. Authentication works for me using different schemes. Which
> authentication modules are not working for you? Which is your config?
> Which directives are you using??
For my case: followed the common APACHE FAQs, creating .htaccess with
$EDITOR, password file with htpasswd (and tried different encryption
methods, of course) and setting "AllowOverride AuthConfig" in
httpd.conf. Restarted multiple times, tried with different users
etc.pp., alwas the same result: access denied, non-sense message in
error.log:
[Sat Nov 8 22:56:45 2003] [error] user foo not found: /apt/
[Sat Nov 8 22:56:49 2003] [error] user foo not found: /apt/
[Sat Nov 8 22:57:22 2003] [error] user foo not found: /apt/
Run strace over it and, guess what, it does not even READ the password
file. There is no excuse for such non-obvious, crapy and user-unfriedly
behaviour. The solution was setting "AuthAuthoritative off" in
httpd.conf which I found by luck after googl'ing after a combination of
"debian apache <lost of other words came to my mind>".
> > Interesting enough, that no reaction to the initial bug report so far, but
> > after changing the severity to a value you view as inappropiate, you are
> > able to change it back.
>
> Because I do expected DD's being able to file a decent bug other than
> flaming the maintainers.
I expect Debian maintainers of important packages to request such
information with needed. Silence is not always the best way ro react.
> > Some reaction to the problem - which is a real
> > and grave problem!
>
> Until:
>
> a) we cannot reproduce it
What do you need? Create a default config (after purging) without any
others apache related modules installed, create /var/www/apt, set
permissions when needed, create /var/www/apt/.htaccess with:
AuthType Basic
AuthName restricted_area
AuthUserFile /var/tmp/htpass
require valid-user
Create the password file and try again.
> b) we are lacking information
> i will not consider this bug serious enough.
Request it. Don't flame another submitter which assume the maintainer to
be MIA (for a reason). In the header you see the combination I would
have choosen if I were kju (not, it's not forwarded to control). There
are already too many maintainers reacting like you and letting thons
of crap pass into the Stable distribution. The bug is there and needs to
be fixed. Or do you think that it's okay to have 20 Important bugs
instead of one Grave?
> > - would have been more important. Hell a lot of people
> > and web applications depend on this feature.
>
> me as well but it works on several of my system and it did never broke
> across upgrades.
>
> Fabio
>
> --
> Our mission: make IPv6 the default IP protocol
> "We are on a mission from God" - Elwood Blues
>
> http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html
>
>
--
Man verdirbt unter Leuten, die einen nicht übertreffen.
-- Jean Paul
Reply to: