mod_shib takes over valid-user for entire server

Description

The native SP, when built for Apache 2.4, currently registers an authorization hook for valid-user:

ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "valid-user", AUTHZ_PROVIDER_VERSION, &shib_authz_validuser_provider, AP_AUTH_INTERNAL_PER_CONF);

which dispatches to shib_validuser_check_authz, which in turn requires the existence of a Shibboleth session. It does this without checking the Apache auth type. It therefore requires a Shibboleth session even for URLs that are protected by a completely different auth type (checked with WebAuth and Kerberos, but I suspect this would be the case even for Basic) and rejects the authorization by returning AUTHZ_DENIED_NO_USER. This means that if mod_shib is loaded, one cannot use any other auth provider to protect a different part of the URL space. This is true even if ShibDisable is set to on.

I'm not sure how to fix it. If I'm understanding the Apache core code correctly, only one module is allowed to provide a given require type, and the last module to register wins. So when mod_shib registers, it just blows away the registration by mod_authz_user. The module could return AUTHZ_NEUTRAL, but I don't think that allows a fallback to mod_authz_user, which would be the ideal behavior.

You could fall back on providing the mod_authz_user behavior, namely return AUTHZ_GRANTED iff r->user is non-NULL if ap_auth_type is not Shibboleth, but that makes me leery. But there doesn't seem to be a way to selectively register a require type only for some directory configs.

Environment

Shibboleth 2.5.1 as packaged for Debian, Debian Apache 2.4.4-5, and both mod_webauth and mod_auth_kerb as other authentication modules.

Activity

Show:

Scott Cantor June 18, 2013 at 2:24 AM

Closing on release.

Scott Cantor June 3, 2013 at 5:00 PM

http://svn.shibboleth.net/view/cpp-sp?rev=3860&view=rev

Patch adds a new server-wide option, ShibCompatValidUser, defaults Off. If unset, current behavior applies, and require valid-user stays as is, for compatibility.

If set, valid-user behaves the same as mod_authz_user, and checks for a username (actually it fixes an Apache bug, it checks for a non-empty username).

When set, existing mod_shib rules need to be changed to the new rule label, shib-session. I have also backported shib-session support into the pre-2.4 code so that people can migrate.

Checking for AuthType is how I would have preferred to key this, but the way the module decides on AuthTypes to handle is more exotic than most now because of changes requested by the Moonshot guys, and it's not actually easy for me to tell in the module code anymore. A future API change may be able to address that.

This should apply more or less as is to a 2.5.1 build if you need it for Debian. More testing would be good anyway.

I did add a log for denial in my rules, but to be honest, it wasn't much easier to debug. The order that Apache invokes all this new stuff is really complicated and happens multiple times and it didn't actually look like you would exect it to when I configured it to reproduce this.

Russ Allbery June 3, 2013 at 1:39 AM
Edited

I should have instead said "if mod_shib is loaded, one cannot use require valid-user with any other auth provider protecting a different part of the URL space." Everything continues to work fine, of course, if the require directives in use are something other than valid-user, since the other require directives are module-specific.

On a somewhat related note, this was quite hard to debug. It took me a couple of hours of tracing code to figure out what was going on. If the authorization checker hooks installed by mod_shib could produce some debug output, it would make tracking things like this down considerably easier.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Scott Cantor

Reporter

Fix versions

Affects versions

Created June 3, 2013 at 1:34 AM
Updated June 18, 2013 at 2:24 AM
Resolved June 3, 2013 at 5:00 PM
Loading...