Bug#660853: cacti: External auth does not work behind a reverse proxy (HTTP_REMOTE_USER contains login, not REMOTE_USER)

2012-02-22 Thread Thierry Murgue 
Package: cacti
Version: 0.8.7g-1+squeeze1
Severity: normal

Please consider to check non only REMOTE_USER, PHP_AUTH_USER and 
REDIRECT_REMOTE_USER, but also HTTP_* variants.
Behind a reverse-proxy Debian GNU/Linux with apache2 squeeze (see configuration 
just below), authentication information are stored
in HTTP_REMOTE_USER, not in REMOTE_USER.

Location /cacti
 ... Some auth directives
 RewriteEngineon
 RewriteCond  %{LA-U:REMOTE_USER}(.+)
 RewriteRule . - [E=RU:%1]
 RequestHeader set REMOTE_USER %{RU}e
 
 ProxyPass http://#HOST#/cacti
 ProxyPassReverse http://#HOST#/cacti
/Location 

Here is a patch, if you decide to insert these checks.

-- System Information:
Debian Release: 6.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages cacti depends on:
ii  apache22.2.16-6+squeeze6 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze6 Apache HTTP Server - traditional n
ii  dbconfig-common1.8.46+squeeze.0  common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1  Debian configuration management sy
ii  libapache2-mod-php55.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  libphp-adodb   5.10-1The ADOdb database abstraction lay
ii  mysql-client-5.1 [virt 5.1.49-3  MySQL database client binaries
ii  php5   5.3.3-7+squeeze8  server-side, HTML-embedded scripti
ii  php5-cli   5.3.3-7+squeeze8  command-line interpreter for the p
ii  php5-mysql 5.3.3-7+squeeze8  MySQL module for php5
ii  php5-snmp  5.3.3-7+squeeze8  SNMP module for php5
ii  rrdtool1.4.3-1   time-series data storage and displ
ii  snmp   5.4.3~dfsg-2  SNMP (Simple Network Management Pr
ii  ucf3.0025+nmu1   Update Configuration File: preserv

Versions of packages cacti recommends:
ii  iputils-ping3:20100418-3 Tools to test the reachability of 
ii  logrotate   3.7.8-6  Log rotation utility
ii  mysql-server5.1.49-3 MySQL database server (metapackage
ii  mysql-server-5.1 [mysql-ser 5.1.49-3 MySQL database server binaries and

Versions of packages cacti suggests:
pn  php5-ldap none (no description available)

-- debconf information excluded
--- auth_login.php	2012-02-22 12:37:45.0 +0100
+++ auth_login.ORIG.php	2012-01-08 19:44:12.0 +0100
@@ -39,12 +39,6 @@
 		$username = str_replace(\\, , $_SERVER[REMOTE_USER]);
 	}elseif (isset($_SERVER[REDIRECT_REMOTE_USER])) {
 		$username = str_replace(\\, , $_SERVER[REDIRECT_REMOTE_USER]);
-	}elseif (isset($_SERVER[HTTP_PHP_AUTH_USER])) {
-		$username = str_replace(\\, , $_SERVER[HTTP_PHP_AUTH_USER]);
-	}elseif (isset($_SERVER[HTTP_REMOTE_USER])) {
-		$username = str_replace(\\, , $_SERVER[HTTP_REMOTE_USER]);
-	}elseif (isset($_SERVER[HTTP_REDIRECT_REMOTE_USER])) {
-		$username = str_replace(\\, , $_SERVER[HTTP_REDIRECT_REMOTE_USER]);
 	}else{
 		/* No user - Bad juju! */
 		$username = ;

Bug#660853: [Pkg-cacti-maint] Bug#660853: cacti: External auth does not work behind a reverse proxy (HTTP_REMOTE_USER contains login, not REMOTE_USER)

2012-02-22 Thread sean finney 
Hi Thierry,

On Wed, Feb 22, 2012 at 12:53:01PM +0100, Thierry Murgue wrote:
 Please consider to check non only REMOTE_USER, PHP_AUTH_USER and 
 REDIRECT_REMOTE_USER, but also HTTP_* variants.
 Behind a reverse-proxy Debian GNU/Linux with apache2 squeeze (see 
 configuration just below), authentication information are stored
 in HTTP_REMOTE_USER, not in REMOTE_USER.
snip
 
 Here is a patch, if you decide to insert these checks.

This sounds like something that should go upstream to the cacti authors.
Could you report a bug at bugs.cacti.net?  Thanks!


sean



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org