Bug#219774: Causing Reason identified (Re: Bug#219774: Doesn't help)

To: Michael Holzt <kju@fqdn.org>, 219774@bugs.debian.org
Subject: Bug#219774: Causing Reason identified (Re: Bug#219774: Doesn't help)
From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
Date: Sun, 16 Nov 2003 08:13:15 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.58.0311160758140.2018@trider-g7.ext.fabbione.net>
Reply-to: Fabio Massimo Di Nitto <fabbione@fabbione.net>, 219774@bugs.debian.org
In-reply-to: <[🔎] 20031115085109.GA23019@fqdn.org>
References: <[🔎] 20031114180542.GB18076@fqdn.org> <[🔎] 20031114182405.GH30485@parcelfarce.linux.theplanet.co.uk> <[🔎] 20031114183212.GA19753@fqdn.org> <[🔎] Pine.LNX.4.58.0311150917570.4221@trider-g7.ext.fabbione.net> <[🔎] 20031115085109.GA23019@fqdn.org>

Hi Michael,
	so let start with some stuff because i am not sure i got
everything from this report.

On Sat, 15 Nov 2003, Michael Holzt wrote:

> First the index.html problem (no upgrade, just added a module) and after
> that this problem here.

Which index.html problem are you talking about here?? There were some
problems in the past but they have been fixed. Now apache writes an
index.html only if installing and if /var/www is NOT there already,
otherwise it just does nothing.

> I have now found out how the problem can be reproduced and forced. The
> problem is the sys_auth_module. When it is loaded, the standard
> configuration widely used for password protected sites will fail without any
> usable error message.

Ok.

>
> I have the following auth-modules in my apache-config (didn't choosed them,
> they were added by the debian package):
>
>   LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so
>   [...]
>   LoadModule anon_auth_module /usr/lib/apache/1.3/mod_auth_anon.so
>   LoadModule dbm_auth_module /usr/lib/apache/1.3/mod_auth_dbm.so
>   LoadModule db_auth_module /usr/lib/apache/1.3/mod_auth_db.so
>   [...]
>   LoadModule sys_auth_module /usr/lib/apache/1.3/mod_auth_sys.so
>

They are the the defaults on installation. modules are never forced on
upgrades (given that there are no bugs in the script that handles them).

> Config from httpd.conf which worked _was_:
>
>   <Directory /var/www/>
>   [...]
>       AllowOverride AuthConfig
>   [...]
>   </Directory>
>
> In this Directory i have a .htaccess:
>
>   AuthType Basic
>   AuthName "kjus Entwicklungslabor"
>   AuthUserFile /etc/apache/.htpasswd
>   require valid-user
>
> This is just the plain normal configuration used by a lot of sites.

Yup.

> The
> configuration worked until the latest upgrade. Now it just states 'User xxx
> not found' in the error.log. There are three possible fixes to this:
>
>   a.) One can remove the sys_auth_module. This should be done anyways, as
>       you are rightful warning about the usage. I have no idea why the
>       debian package added this module. I didn't asked for it, and in
>       my opinion it should never be added by default.

If it was added automatically than there is a bug. as i wrote before
modules-config should NOT change any user setting or add/remove modules if
not at installation time where a default is required.
the actual default includes sys_auth_module. (the actual defaults have
been created using the old apacheconfig to have consistency between the
different releases but of course it does not mean that we cannot change
them).

>
>   b.) One can add the Suggested Line by Edward after the AllowOverride
>       Statement. The AuthAuthoritative Off Setting will tell the Apache
>       the continue even if a previous auth module failed. As it seems,
>       the modules will be queried in the reverse order as they were
>       loaded. So in my config above sys_auth_module will be queried first,
>       and then db_auth_module, dbm_auth_module and anon_auth_module
>       (all three are not triggered by my configuration and will not fail),
>       and the auth_module seems to be last asked. This leads me to
>       solution c:

I don't think this is the proper way to do it. The way in which modules
are loaded/used is explained here:

http://httpd.apache.org/docs/mod/core.html#addmodule

but yes you are right. the load order is reversed in execution.

>
>   c.) The sys_auth_module could just be loaded _before_ auth_module.

This can also be a possibility but i want to check the documentation first
to be sure why sys_auth_module has that priority in the load order.

> So c.) might be the easiest fix, but i still stay to a.) and ask why this
> module was included in standard config (was it? i wasn't asked about it, and
> it was not added by me...)
>
> Hope to be helpful to now resolve this problem.

I would like your help to investigate a) a bit further. I will dig c) in
the meantime.
and yes your help is really important. apache is not an easy package for
the simple reason that from the moment in which you change a line in the
config your installation becomes unique. As you can imagine it is almost
impossible for us to test/reproduce all the setups around.

Thanks
Fabio

-- 
Our mission: make IPv6 the default IP protocol
"We are on a mission from God" - Elwood Blues

http://www.itojun.org/paper/itojun-nanog-200210-ipv6isp/mgp00004.html

Reply to:

Follow-Ups:
- Bug#219774: Causing Reason identified (Re: Bug#219774: Doesn't help)
  - From: Fabio Massimo Di Nitto <fabbione@fabbione.net>

References:
- Bug#219774: Doesn't help
  - From: Michael Holzt <kju@debian.org>
- Bug#219774: Doesn't help
  - From: Matthew Wilcox <willy@debian.org>
- Bug#219774: Doesn't help
  - From: Michael Holzt <kju@fqdn.org>
- Bug#219774: Doesn't help
  - From: Fabio Massimo Di Nitto <fabbione@fabbione.net>
- Bug#219774: Causing Reason identified (Re: Bug#219774: Doesn't help)
  - From: Michael Holzt <kju@fqdn.org>

Prev by Date: Bug#220305: marked as done ([apache2]: can't create any locks)
Next by Date: Bug#203316: marked as done (libapache2-dav-svn: breaks apache2)
Previous by thread: Processed: Re: Bug#219774: Causing Reason identified (Re: Bug#219774: Doesn't help)
Next by thread: Bug#219774: Causing Reason identified (Re: Bug#219774: Doesn't help)
Index(es):
- Date
- Thread