On Tue, 2015-09-08 at 12:52 +1000, Tony Butt wrote:
> On Tue, 2015-09-08 at 09:41 +1000, Tony Butt wrote:
>
> > On Mon, 2015-09-07 at 10:20 +0200, Branko Čibej wrote:
> >
> > >
> > > On 07.09.2015 10:07, Tony Butt wrote:
> > > > On Mon, 2015-09-07 at 09:59 +0200, Branko Čibej wrote:
> > > >> On 07.09.2015 02:16, Tony Butt wrote:
> > > >>
> > > >>> On 07/09/15 10:10, Tony Butt wrote:
> > > >>>
> > > >>>>> # Compression options
> > > >>>>> AddOutputFilterByType DEFLATE text/html text/plain text/xml
> > > >>>>> SetInputFilter DEFLATE
> > > >>>>>
> > > >>>>> # Krb Authentication
> > > >>>>> Include /etc/apache2/krb.conf
> > > >>>>>
> > > >>>>> AuthDBMType default
> > > >>>>> AuthDBMGroupFile /srv/www/groupsdb
> > > >>>>> <RequireAll>
> > > >>>>> Require group software hardware
> > > >>>>> Require valid-user
> > > >>>>> </RequireAll>
> > > >>>>>
> > > >>>>> AuthZSVNAccessFile /srv/svn/access
> > > >>>>>
> > > >>>>>
> > > >>>>> </Location>
> > > >>>>>
> > > >>>>>
> > > >>>>> I installed the subversion 1.9.0 RC a little while back on this
> > > >>>> machine,
> > > >>>>> all OK.
> > > >>>>> Installed subversion 1.9.0 release Monday, had to set
> > > >>>>> --enable-broken-httpd-auth
> > > >>>>> to build successfully. Went to the apache config and ensured
> > > >>>> that nobrane_at_wandisco.com
> > > >>>>> unauthenticated access was possible to the document root. All
> > > >>>> OK.
> > > >>>>> I installed subversion 1.9.1 yesterday, built and installed OK.
> > > >>>>> On testing repos access, I can browse to
> > > >>>> http://hostname/repos/ ,
> > > >>>>> but any attempt to access http://hostname/repos/name1
> > > >>>>> fails, with this message at the browser.
> > > >>>>> cea_sw_dev/
> > > >>>>> "Unauthorized This server could not verify that you are
> > > >>>> authorized to
> > > >>>>> access the document requested. Either you supplied the wrong
> > > >>>> credentials
> > > >>>>> (e.g., bad password), or your browser doesn't understand how to
> > > >>>> supply
> > > >>>>> the credentials required."
> > > >>>>>
> > > >>>>> Reverting to Subversion 1.8.13, or 1.9.0 resolves this.
> > > >>>>> Changing the configuration to not use SVNParentPath, by
> > > >>>> specifying
> > > >>>>> individual repositories with SVNPath resolves this too.
> > > >>>>> Some interaction between the svnauthz changes and SVNParentPath
> > > >>>> seems to
> > > >>>>> be broken
> > > >>>> When you upgraded Subversion, did you also restart httpd? (Using
> > > >>>> 'apachectl graceful' or 'apachectl restart' or reasonable
> > > >>>> equivalent.)
> > > >>>> brane_at_wandisco.com
> > > >>>> -- Brane
> > > >>>>
> > > >>> cea_sw_dev/
> > > >>> Sorry for the delayed reply, I have been off work sick for a while,
> > > >>> and am only just subscribing to the list.
> > > >>> Sorry also for the somewhat dodgy reply format too, working around
> > > >>> the non-subscription.
> > > >>>
> > > >>> Yes, I did restart httpd - I went through the sequence of changing
> > > >>> installed versions at least twice as well, restarting each time.
> > > >>>
> > > >>> I looked at the changelog for 1.9.1, and didn't see anything
> > > >>> obvious, but...
> > > >>>
> > > >>> I can easily test against our config if there is a change you want
> > > >>> tested - OTOH, it might be configuration or user error (unlikely,
> > > >>> but possible). I'm not new to subversion though, so I hope I covered
> > > >>> the obvious stuff...
> > > >>
> > > >> At the moment, considering another report, it seems that the problem
> > > >> stems from an interaction between Kerberos authentication and one of
> > > >> the recent security fixes in either httpd or Subversion (CVE-2015-3185
> > > >> or -3184). If that's the case, then it's probably not specific to
> > > >> 1.9.1 but exists in 1.9.0, 1.8.14 and 1.7.22 as well, always in
> > > >> combination with httpd-2.4.16.
> > > >>
> > > >> I'm trying to track this down but haven't had much success yet.
> > > >>
> > > >> -- Brane
> > > > I was able to test this on the same system, with Subversion 1.9.0,
> > >
> > > Are you sure you were using 1.9.0, not one of the release candidates?
> >
> > I'm fairly sure, but will double check shortly
> >
> > >
> > > > and
> > > > 1.8.13 as well, and did not see the same problem.
> > >
> > > 1.8.13 does not have the CVE-2015-3184 security fix.
> > >
> > > > I don't have 1.8.14, but can build and test it if you like.
> > >
> > > Please do!
> >
> > I'll do that soon too
> >
> > >
> > > > I can probably also test against mod_auth_sasl, if that would help - we
> > > > run that on an older machine, and I should be able to copy the config.
> > >
> > > It would be good to compare SASL and KRB, yes.
> >
> > That will take a little more work, I'll reply when I have it done.
> >
> > >
> > > -- Brane
> >
> >
>
> I have tested against Svn 1.8.14, 1.9.0, 1.9.1, releases. Results as
> below
>
> Environment, Ubuntu 14.04.02, Apache 2.4.7, mod_auth_krb 5.4,
> mod_authn_sasl 1.2
>
> Authenticating against mod_auth_krb, authentication provided by a
> windows domain server,
> * Subversion 1.9.1 gives an authentication error when accessing
> repositories under an SVNParentPath.
> I can access the parent path to display the available
> repositories.
> * Subversion 1.9.0 does not give an authentication error with
> SVNParentPath
> * Subversion 1.8.14 does not give an authentication error with
> SVNParentPath
>
>
> Authenticating against mod_authn_sasl (saslauthd configured to use the
> same Kerberos provider as mod_auth_krb config)
> * Subversion 1.9.1 does not give an authentication error when
> accessing repositories under an SVNParentPath.
> * Subversion 1.9.0 does not give an authentication error when
> accessing repositories under an SVNParentPath.
> * Subversion 1.8.14 does not give an authentication error when
> accessing repositories under an SVNParentPath.
>
> As noted previously, when not using SVNParentPath, there is no problem
> accessing the repository with Svn 1.9.1
>
If it helps, I looked into the apache access log for this, and saw
this...
When accessing the repos path , http://oldwolf.cea.com.au/repos/CEA/
(and failing), this is shown in the log
172.16.2.39 - - [08/Sep/2015:12:54:39 +1000] "GET /repos/CEA/ HTTP/1.1" 401 683 "http://oldwolf.cea.com.au/repos/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"
When accessing the Parent path, http://oldwolf.cea.com.au/repos/, this
is shown in the log
172.16.2.39 - - [08/Sep/2015:12:54:54 +1000] "GET /repos/ HTTP/1.1" 401 752 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"
172.16.2.39 - tjb [08/Sep/2015:12:54:54 +1000] "GET /repos/ HTTP/1.1" 200 708 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0"
> Tony
>
>
> >
> >
> >
>
>
>
--
Tony Butt <tony.butt_at_cea.com.au>
CEA Technologies
Received on 2015-09-08 05:30:23 CEST