Bug#660853: cacti: External auth does not work behind a reverse proxy (HTTP_REMOTE_USER contains login, not REMOTE_USER)

2012-02-22 Thread Thierry Murgue 
Package: cacti
Version: 0.8.7g-1+squeeze1
Severity: normal

Please consider to check non only REMOTE_USER, PHP_AUTH_USER and 
REDIRECT_REMOTE_USER, but also HTTP_* variants.
Behind a reverse-proxy Debian GNU/Linux with apache2 squeeze (see configuration 
just below), authentication information are stored
in HTTP_REMOTE_USER, not in REMOTE_USER.

Location /cacti
 ... Some auth directives
 RewriteEngineon
 RewriteCond  %{LA-U:REMOTE_USER}(.+)
 RewriteRule . - [E=RU:%1]
 RequestHeader set REMOTE_USER %{RU}e
 
 ProxyPass http://#HOST#/cacti
 ProxyPassReverse http://#HOST#/cacti
/Location 

Here is a patch, if you decide to insert these checks.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cacti depends on:
ii  apache22.2.16-6+squeeze6 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze6 Apache HTTP Server - traditional n
ii  dbconfig-common1.8.46+squeeze.0  common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1  Debian configuration management sy
ii  libapache2-mod-php55.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  libphp-adodb   5.10-1The ADOdb database abstraction lay
ii  mysql-client-5.1 [virt 5.1.49-3  MySQL database client binaries
ii  php5   5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  php5-cli   5.3.3-7+squeeze8  command-line interpreter for the p
ii  php5-mysql 5.3.3-7+squeeze8  MySQL module for php5
ii  php5-snmp  5.3.3-7+squeeze8  SNMP module for php5
ii  rrdtool1.4.3-1   time-series data storage and displ
ii  snmp   5.4.3~dfsg-2  SNMP (Simple Network Management Pr
ii  ucf3.0025+nmu1   Update Configuration File: preserv

Versions of packages cacti recommends:
ii  iputils-ping3:20100418-3 Tools to test the reachability of 
ii  logrotate   3.7.8-6  Log rotation utility
ii  mysql-server5.1.49-3 MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-ser 5.1.49-3 MySQL database server binaries and

Versions of packages cacti suggests:
pn  php5-ldap none (no description available)

-- debconf information excluded
--- auth_login.php	2012-02-22 12:37:45.0 +0100
+++ auth_login.ORIG.php	2012-01-08 19:44:12.0 +0100
@@ -39,12 +39,6 @@
 		$username = str_replace(\\, , $_SERVER[REMOTE_USER]);
 	}elseif (isset($_SERVER[REDIRECT_REMOTE_USER])) {
 		$username = str_replace(\\, , $_SERVER[REDIRECT_REMOTE_USER]);
-	}elseif (isset($_SERVER[HTTP_PHP_AUTH_USER])) {
-		$username = str_replace(\\, , $_SERVER[HTTP_PHP_AUTH_USER]);
-	}elseif (isset($_SERVER[HTTP_REMOTE_USER])) {
-		$username = str_replace(\\, , $_SERVER[HTTP_REMOTE_USER]);
-	}elseif (isset($_SERVER[HTTP_REDIRECT_REMOTE_USER])) {
-		$username = str_replace(\\, , $_SERVER[HTTP_REDIRECT_REMOTE_USER]);
 	}else{
 		/* No user - Bad juju! */
 		$username = ;

Bug#406348: chrooted postfix doesn't copy /etc/ldap/ssl to enable secure ldap lookup for recipient or sender

2007-01-10 Thread Thierry Murgue 
Package: postfix
Version: 2.3.4-3
Severity: important
Tags: patch

In order to use lookup with ldaps protocol, I have to access some cert
in /etc/ldap/ssl. The chroot method written for postfix doesn't take in
account these files.

I attached a path that copies the entire /etc/ldap directory in order to
have the default configuration file (/etc/ldap/ldap.conf) and all ldap
config files also.

Is it ok ?

Thanks in advance to take in account this kind of problem. Or feel free
to send me a answer on how to make that in a more Debian way.

--
Thierry.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.1
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages postfix depends on:
ii  adduser   3.101  Add and remove users and groups
ii  debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii  dpkg  1.13.25package maintenance system for Deb
ii  libc6 2.3.6.ds1-8GNU C Library: Shared libraries
ii  libdb4.3  4.3.29-6   Berkeley v4.3 Database Libraries [
ii  libsasl2-22.1.22.dfsg1-8 Authentication abstraction library
ii  libssl0.9.8   0.9.8c-4   SSL shared libraries
ii  lsb-base  3.1-22 Linux Standard Base 3.1 init scrip
ii  netbase   4.27   Basic TCP/IP networking system
ii  ssl-cert  1.0.13 Simple debconf wrapper for openssl

Versions of packages postfix recommends:
ii  emacs21 [mail-re 21.4a+1-3   The GNU Emacs editor
ii  evolution [mail- 2.6.3-3 groupware suite with mail client a
ii  icedove [mail-re 1.5.0.9.dfsg1-1 free/unbranded thunderbird mail cl
ii  mailx [mail-read 1:8.1.2-0.20050715cvs-1 A simple mail user agent
ii  mutt [mail-reade 1.5.13-1.1  text-based mailreader supporting M
ii  nmh [mail-reader 1.1-release-4   A set of electronic mail handling 
ii  sylpheed-claws-g 2.6.0-1 Fast, lightweight and user-friendl

-- debconf information excluded
--- /etc/init.d/postfix 2007-01-03 18:56:25.0 +0100
+++ postfix 2007-01-10 16:46:00.0 +0100
@@ -68,6 +68,8 @@
ln -sf /etc/localtime usr/lib/zoneinfo/localtime
rm -f lib/libnss_*so*
tar cf - /lib/libnss_*so* 2/dev/null |tar xf -
+   rm -rf etc/ldap
+   cp -a /etc/ldap etc/
umask $oldumask
fi