test users ** Description changed:
- I have configured a .htaccess to use libapache2-mod-auth-pgsql to - authenticate a user against a postgres database. The settings are as - follows: + [Impact] + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an + explanation of how the upload fixes this bug. + + [Test Case] + + * install the packages: + sudo apt install apache2 libapache2-mod-auth-pgsql postgresql + + * create the database and populate it: + $ sudo -u postgres -H createdb userdb + $ cat > /tmp/prepare.sql <<EOFEOF + CREATE TABLE UserLogin (Username text, ApachePassword text); + INSERT INTO UserLogin VALUES ('ubuntu-invalidhash', '{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ='); + INSERT INTO UserLogin VALUES ('ubuntu-md5', '$1$0UiJQbpc$QoJQqJIT1DCHtQYGwJHZh0'); + INSERT INTO UserLogin VALUES ('ubuntu-sha256', '$5$.oyALiVLtCvfBa$cvNlH7IxsirDkBN/vIvHB54p0MPwqxSyiulqnYVMxt/'); + INSERT INTO UserLogin VALUES ('ubuntu-sha512', '$6$mbXQ/gDvUCn$Hs6sz8LAWN3fX1I/MoaJjsYSIYs8tqOUjgoQnXLY4X1dTSlBhbyiJYpTZZDEALXw.hRL97e7l/.xI7qZi0Phe.'); + INSERT INTO UserLogin VALUES ('ubuntu-des', 'CYwwQkoOVS3oE'); + EOFEOF + $ sudo -u postgres -H psql userdb -f /tmp/prepare.sql + + * Create the DB user we will use. Type "password" without the quotes when prompted: + $ sudo -u postgres -H createuser www -P + could not change directory to "/root": Permission denied + Enter password for new role: + Enter it again: + + * Grant access: + $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;" + + * Create the /var/www/html/.htaccess file: + cat <<EOFEOF | sudo tee /var/www/html/.htaccess AuthType basic AuthName "My Auth" Require valid-user AuthBasicProvider pgsql Auth_PG_authoritative On Auth_PG_host 127.0.0.1 Auth_PG_port 5432 Auth_PG_user www Auth_PG_pwd password Auth_PG_database userdb - Auth_PG_encrypted off + Auth_PG_encrypted on Auth_PG_pwd_table UserLogin Auth_PG_uid_field Username Auth_PG_pwd_field ApachePassword + EOFEOF - If I set Auth_PG_encrypted to off, then authentication works but the - downside is that I have to save plain unencrypted password on the - database. If I set Auth_PG_encrypted to on, a segmentation fault occurs. - A typical password to be contained in ApachePassword field is the - following (for password "password"): "{SHA}W6ph5Mm5Pz8GgiULbPgzG37mj9g=" - - This matches exactly to what would be generated by htpasswd -s. + * Setup access in apache by editing /etc/apache2/sites- + enabled/000-default.conf and adding these somewhere between the + <virtualhost> lines: - Here is the error log entry I get: - [pid 9662] AH00052: child pid 9670 exit signal Segmentation fault (11) + <Directory /var/www/html> + AllowOverride AuthConfig + </Directory> - ProblemType: Bug - DistroRelease: Ubuntu 16.04 - Package: apache2 2.4.18-2ubuntu3.2 - ProcVersionSignature: Ubuntu 4.4.0-79.100-generic 4.4.67 - Uname: Linux 4.4.0-79-generic x86_64 - Apache2ConfdDirListing: False - Apache2Modules: - Error: command ['/usr/sbin/apachectl', '-D DUMP_MODULES'] failed with exit code 1: [Mon Jun 19 09:48:04.146971 2017] [so:warn] [pid 8403] AH01574: module dav_module is already loaded, skipping - apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/session_dbd.load: Cannot load /usr/lib/apache2/modules/mod_session_dbd.so into server: /usr/lib/apache2/modules/mod_session_dbd.so: undefined symbol: ap_hook_session_save - Action '-D DUMP_MODULES' failed. - The Apache error log may have more information. - ApportVersion: 2.20.1-0ubuntu2.6 - Architecture: amd64 - Date: Mon Jun 19 09:47:34 2017 - SourcePackage: apache2 - UpgradeStatus: No upgrade log present (probably fresh install) - modified.conffile..etc.apache2.apache2.conf: [modified] - modified.conffile..etc.apache2.mods-available.dav.load: [modified] - modified.conffile..etc.apache2.sites-available.000-default.conf: [modified] - mtime.conffile..etc.apache2.apache2.conf: 2017-06-03T16:27:12.439856 - mtime.conffile..etc.apache2.mods-available.dav.load: 2017-06-03T16:31:51.028040 - mtime.conffile..etc.apache2.sites-available.000-default.conf: 2016-11-11T14:57:50 + * Enable the mod-auth-pgsql module: + $ sudo a2enmod 000_auth_pgsql + + * Restart apache: + $ sudo service apache2 restart + + This is now ready for testing. The database was populated with the following usernames, all with the same password "secret": + ubuntu-invalidhash + ubuntu-md5 + ubuntu-sha256 + ubuntu-sha512 + ubuntu-des + + The username that will cause a segfault is "ubuntu-invalidhash". To test each login, use a loop like this: + for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s && echo OK || echo FAIL; done + Testing ubuntu-invalidhash... FAIL + Testing ubuntu-md5... OK + Testing ubuntu-sha256... OK + Testing ubuntu-sha512... OK + Testing ubuntu-des... OK + + The fixed version must have all tests with the result OK. + + [Regression Potential] + + * discussion of how regressions are most likely to manifest as a result + of this change. + + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the + event of a regression. + + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance ** Description changed: [Impact] - * An explanation of the effects of the bug on users and + * An explanation of the effects of the bug on users and - * justification for backporting the fix to the stable release. + * justification for backporting the fix to the stable release. - * In addition, it is helpful, but not required, to include an - explanation of how the upload fixes this bug. + * In addition, it is helpful, but not required, to include an + explanation of how the upload fixes this bug. [Test Case] - * install the packages: - sudo apt install apache2 libapache2-mod-auth-pgsql postgresql + * install the packages on the Ubuntu release you are testing: + $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql - * create the database and populate it: + * create the database and populate it (http://pastebin.ubuntu.com/25127514/ for better formatting): $ sudo -u postgres -H createdb userdb $ cat > /tmp/prepare.sql <<EOFEOF CREATE TABLE UserLogin (Username text, ApachePassword text); INSERT INTO UserLogin VALUES ('ubuntu-invalidhash', '{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ='); INSERT INTO UserLogin VALUES ('ubuntu-md5', '$1$0UiJQbpc$QoJQqJIT1DCHtQYGwJHZh0'); INSERT INTO UserLogin VALUES ('ubuntu-sha256', '$5$.oyALiVLtCvfBa$cvNlH7IxsirDkBN/vIvHB54p0MPwqxSyiulqnYVMxt/'); INSERT INTO UserLogin VALUES ('ubuntu-sha512', '$6$mbXQ/gDvUCn$Hs6sz8LAWN3fX1I/MoaJjsYSIYs8tqOUjgoQnXLY4X1dTSlBhbyiJYpTZZDEALXw.hRL97e7l/.xI7qZi0Phe.'); INSERT INTO UserLogin VALUES ('ubuntu-des', 'CYwwQkoOVS3oE'); EOFEOF $ sudo -u postgres -H psql userdb -f /tmp/prepare.sql * Create the DB user we will use. Type "password" without the quotes when prompted: $ sudo -u postgres -H createuser www -P could not change directory to "/root": Permission denied - Enter password for new role: - Enter it again: + Enter password for new role: + Enter it again: * Grant access: $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;" * Create the /var/www/html/.htaccess file: cat <<EOFEOF | sudo tee /var/www/html/.htaccess AuthType basic AuthName "My Auth" Require valid-user AuthBasicProvider pgsql Auth_PG_authoritative On Auth_PG_host 127.0.0.1 Auth_PG_port 5432 Auth_PG_user www Auth_PG_pwd password Auth_PG_database userdb Auth_PG_encrypted on Auth_PG_pwd_table UserLogin Auth_PG_uid_field Username Auth_PG_pwd_field ApachePassword EOFEOF * Setup access in apache by editing /etc/apache2/sites- enabled/000-default.conf and adding these somewhere between the <virtualhost> lines: <Directory /var/www/html> - AllowOverride AuthConfig + AllowOverride AuthConfig </Directory> * Enable the mod-auth-pgsql module: $ sudo a2enmod 000_auth_pgsql * Restart apache: $ sudo service apache2 restart This is now ready for testing. The database was populated with the following usernames, all with the same password "secret": - ubuntu-invalidhash - ubuntu-md5 - ubuntu-sha256 - ubuntu-sha512 - ubuntu-des + ubuntu-invalidhash + ubuntu-md5 + ubuntu-sha256 + ubuntu-sha512 + ubuntu-des The username that will cause a segfault is "ubuntu-invalidhash". To test each login, use a loop like this: for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s && echo OK || echo FAIL; done Testing ubuntu-invalidhash... FAIL Testing ubuntu-md5... OK Testing ubuntu-sha256... OK Testing ubuntu-sha512... OK Testing ubuntu-des... OK The fixed version must have all tests with the result OK. [Regression Potential] - * discussion of how regressions are most likely to manifest as a result + * discussion of how regressions are most likely to manifest as a result of this change. - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. + * It is assumed that any SRU candidate patch is well-tested before + upload and has a low overall risk of regression, but it's important + to make the effort to think about what ''could'' happen in the + event of a regression. - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + * This both shows the SRU team that the risks have been considered, + and provides guidance to testers in regression-testing the SRU. [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance ** Description changed: [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Case] * install the packages on the Ubuntu release you are testing: $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql - * create the database and populate it (http://pastebin.ubuntu.com/25127514/ for better formatting): + * create the database and populate it (contents of prepare.sql at http://pastebin.ubuntu.com/25127514/ for better formatting): $ sudo -u postgres -H createdb userdb $ cat > /tmp/prepare.sql <<EOFEOF CREATE TABLE UserLogin (Username text, ApachePassword text); INSERT INTO UserLogin VALUES ('ubuntu-invalidhash', '{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ='); INSERT INTO UserLogin VALUES ('ubuntu-md5', '$1$0UiJQbpc$QoJQqJIT1DCHtQYGwJHZh0'); INSERT INTO UserLogin VALUES ('ubuntu-sha256', '$5$.oyALiVLtCvfBa$cvNlH7IxsirDkBN/vIvHB54p0MPwqxSyiulqnYVMxt/'); INSERT INTO UserLogin VALUES ('ubuntu-sha512', '$6$mbXQ/gDvUCn$Hs6sz8LAWN3fX1I/MoaJjsYSIYs8tqOUjgoQnXLY4X1dTSlBhbyiJYpTZZDEALXw.hRL97e7l/.xI7qZi0Phe.'); INSERT INTO UserLogin VALUES ('ubuntu-des', 'CYwwQkoOVS3oE'); EOFEOF $ sudo -u postgres -H psql userdb -f /tmp/prepare.sql * Create the DB user we will use. Type "password" without the quotes when prompted: $ sudo -u postgres -H createuser www -P could not change directory to "/root": Permission denied Enter password for new role: Enter it again: * Grant access: $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;" * Create the /var/www/html/.htaccess file: cat <<EOFEOF | sudo tee /var/www/html/.htaccess AuthType basic AuthName "My Auth" Require valid-user AuthBasicProvider pgsql Auth_PG_authoritative On Auth_PG_host 127.0.0.1 Auth_PG_port 5432 Auth_PG_user www Auth_PG_pwd password Auth_PG_database userdb Auth_PG_encrypted on Auth_PG_pwd_table UserLogin Auth_PG_uid_field Username Auth_PG_pwd_field ApachePassword EOFEOF * Setup access in apache by editing /etc/apache2/sites- enabled/000-default.conf and adding these somewhere between the <virtualhost> lines: <Directory /var/www/html> AllowOverride AuthConfig </Directory> * Enable the mod-auth-pgsql module: $ sudo a2enmod 000_auth_pgsql * Restart apache: $ sudo service apache2 restart This is now ready for testing. The database was populated with the following usernames, all with the same password "secret": ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des The username that will cause a segfault is "ubuntu-invalidhash". To test each login, use a loop like this: for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s && echo OK || echo FAIL; done Testing ubuntu-invalidhash... FAIL Testing ubuntu-md5... OK Testing ubuntu-sha256... OK Testing ubuntu-sha512... OK Testing ubuntu-des... OK The fixed version must have all tests with the result OK. [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance ** Attachment added: "test-users.sql" https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+attachment/4917783/+files/test-users.sql ** Description changed: [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Case] * install the packages on the Ubuntu release you are testing: $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql - * create the database and populate it (contents of prepare.sql at http://pastebin.ubuntu.com/25127514/ for better formatting): + * create the database and populate it with the test users from the attached test-users.sql file: $ sudo -u postgres -H createdb userdb - $ cat > /tmp/prepare.sql <<EOFEOF - CREATE TABLE UserLogin (Username text, ApachePassword text); - INSERT INTO UserLogin VALUES ('ubuntu-invalidhash', '{SHA}5en6G6MezRroT3XKqkdPOmY/BfQ='); - INSERT INTO UserLogin VALUES ('ubuntu-md5', '$1$0UiJQbpc$QoJQqJIT1DCHtQYGwJHZh0'); - INSERT INTO UserLogin VALUES ('ubuntu-sha256', '$5$.oyALiVLtCvfBa$cvNlH7IxsirDkBN/vIvHB54p0MPwqxSyiulqnYVMxt/'); - INSERT INTO UserLogin VALUES ('ubuntu-sha512', '$6$mbXQ/gDvUCn$Hs6sz8LAWN3fX1I/MoaJjsYSIYs8tqOUjgoQnXLY4X1dTSlBhbyiJYpTZZDEALXw.hRL97e7l/.xI7qZi0Phe.'); - INSERT INTO UserLogin VALUES ('ubuntu-des', 'CYwwQkoOVS3oE'); - EOFEOF - $ sudo -u postgres -H psql userdb -f /tmp/prepare.sql + $ sudo -u postgres -H psql userdb -f test-users.sql * Create the DB user we will use. Type "password" without the quotes when prompted: $ sudo -u postgres -H createuser www -P could not change directory to "/root": Permission denied Enter password for new role: Enter it again: * Grant access: $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;" * Create the /var/www/html/.htaccess file: cat <<EOFEOF | sudo tee /var/www/html/.htaccess AuthType basic AuthName "My Auth" Require valid-user AuthBasicProvider pgsql Auth_PG_authoritative On Auth_PG_host 127.0.0.1 Auth_PG_port 5432 Auth_PG_user www Auth_PG_pwd password Auth_PG_database userdb Auth_PG_encrypted on Auth_PG_pwd_table UserLogin Auth_PG_uid_field Username Auth_PG_pwd_field ApachePassword EOFEOF * Setup access in apache by editing /etc/apache2/sites- enabled/000-default.conf and adding these somewhere between the <virtualhost> lines: <Directory /var/www/html> AllowOverride AuthConfig </Directory> * Enable the mod-auth-pgsql module: $ sudo a2enmod 000_auth_pgsql * Restart apache: $ sudo service apache2 restart This is now ready for testing. The database was populated with the following usernames, all with the same password "secret": ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des The username that will cause a segfault is "ubuntu-invalidhash". To test each login, use a loop like this: for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s && echo OK || echo FAIL; done Testing ubuntu-invalidhash... FAIL Testing ubuntu-md5... OK Testing ubuntu-sha256... OK Testing ubuntu-sha512... OK Testing ubuntu-des... OK The fixed version must have all tests with the result OK. [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance ** Description changed: [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Case] * install the packages on the Ubuntu release you are testing: $ sudo apt install apache2 libapache2-mod-auth-pgsql postgresql * create the database and populate it with the test users from the attached test-users.sql file: $ sudo -u postgres -H createdb userdb $ sudo -u postgres -H psql userdb -f test-users.sql - * Create the DB user we will use. Type "password" without the quotes when prompted: - $ sudo -u postgres -H createuser www -P - could not change directory to "/root": Permission denied - Enter password for new role: - Enter it again: + * Create the DB user we will use: + $ sudo -u postgres -H psql postgres -c "CREATE ROLE www UNENCRYPTED PASSWORD 'password' NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;" + CREATE ROLE * Grant access: $ sudo -u postgres -H psql userdb -c "GRANT SELECT ON TABLE userlogin TO www;" + GRANT - * Create the /var/www/html/.htaccess file: - cat <<EOFEOF | sudo tee /var/www/html/.htaccess + * Create the /var/www/html/.htaccess with this content: AuthType basic AuthName "My Auth" Require valid-user AuthBasicProvider pgsql Auth_PG_authoritative On Auth_PG_host 127.0.0.1 Auth_PG_port 5432 Auth_PG_user www Auth_PG_pwd password Auth_PG_database userdb Auth_PG_encrypted on Auth_PG_pwd_table UserLogin Auth_PG_uid_field Username Auth_PG_pwd_field ApachePassword - EOFEOF - * Setup access in apache by editing /etc/apache2/sites- - enabled/000-default.conf and adding these somewhere between the - <virtualhost> lines: + + * Setup access in apache by editing /etc/apache2/sites-enabled/000-default.conf and adding these lines somewhere inside the <virtualhost> section: <Directory /var/www/html> AllowOverride AuthConfig </Directory> * Enable the mod-auth-pgsql module: $ sudo a2enmod 000_auth_pgsql * Restart apache: $ sudo service apache2 restart This is now ready for testing. The database was populated with the following usernames, all with the same password "secret": ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des The username that will cause a segfault is "ubuntu-invalidhash". To test each login, use a loop like this: for u in ubuntu-invalidhash ubuntu-md5 ubuntu-sha256 ubuntu-sha512 ubuntu-des; do echo -n "Testing $u... "; curl -f http://$u:secret@localhost/ -o /dev/null -s && echo OK || echo FAIL; done Testing ubuntu-invalidhash... FAIL Testing ubuntu-md5... OK Testing ubuntu-sha256... OK Testing ubuntu-sha512... OK Testing ubuntu-des... OK The fixed version must have all tests with the result OK. [Regression Potential] * discussion of how regressions are most likely to manifest as a result of this change. * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libapache2-mod-auth-pgsql in Ubuntu. https://bugs.launchpad.net/bugs/1698758 Title: Encrypted password causes segmentation fault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libapache2-mod-auth-pgsql/+bug/1698758/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs