Bug 1347298
Summary: | mod_nss sets r->user in fixup even if it was long ago changed by other module | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora <jpazdziora> | ||||||
Component: | mod_nss | Assignee: | Matthew Harmsen <mharmsen> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.2 | CC: | jpazdziora, rcritten, spoore | ||||||
Target Milestone: | rc | ||||||||
Target Release: | 7.3 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | mod_nss-1.0.14-2.el7 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1431206 (view as bug list) | Environment: | |||||||
Last Closed: | 2016-11-03 21:20:44 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1431206 | ||||||||
Attachments: |
|
Description
Jan Pazdziora
2016-06-16 13:17:27 UTC
The proposed patch is: diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index b35ba6a..fe02337 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -953,9 +953,9 @@ int nss_hook_Fixup(request_rec *r) } /* - * Set r->user if requested + * Set r->user if requested and if not set earlier in access phase */ - if (dc->szUserName) { + if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) == 1 && dc->szUserName) { val = nss_var_lookup(r->pool, r->server, r->connection, r, (char *)dc->szUserName); if (val && val[0]) { The expression will likely never be 1 -- let's make it diff --git a/nss_engine_kernel.c b/nss_engine_kernel.c index b35ba6a..f6d119d 100644 --- a/nss_engine_kernel.c +++ b/nss_engine_kernel.c @@ -953,9 +953,9 @@ int nss_hook_Fixup(request_rec *r) } /* - * Set r->user if requested + * Set r->user if requested and if not set earlier in access phase */ - if (dc->szUserName) { + if ((dc->nOptions & SSL_OPT_FAKEBASICAUTH) && dc->szUserName) { val = nss_var_lookup(r->pool, r->server, r->connection, r, (char *)dc->szUserName); if (val && val[0]) { This is not just cosmetic issue, it actually breaks mod_lookup_identity when it tries to lookup attributes and group membership later in the fixup phase. (In reply to Jan Pazdziora from comment #4) > This is not just cosmetic issue, it actually breaks mod_lookup_identity when > it tries to lookup attributes and group membership later in the fixup phase. Patch from comment 2 fixes that as well. mod_ssl dropped setting r->user in the Fixup hook altogether. mod_nss should do the same IMHO. Created attachment 1173551 [details]
Remove setting 'r->user' in nss_hook_Fixup()
Created attachment 1173552 [details]
mod_nss.spec file diffs
Comment on attachment 1173551 [details]
Remove setting 'r->user' in nss_hook_Fixup()
Re-confirmed that mod_ssl works in the same way.
Confirmed that all tests pass.
Confirmed that the access log correctly records users authenticated with certificates.
Comment on attachment 1173552 [details]
mod_nss.spec file diffs
You should use your name in the changelog for this (and perhaps set the date to the 28th).
Verified. Version :: Results :: # Note: vm1.example.com is IPA Master # vm3.example.com is IPA Client for test [root@vm3 ~]# kinit admin Password for admin: [root@vm3 ~]# ipa service-add HTTP/$(hostname) --force ------------------------------------------------ Added service "HTTP/vm3.example.com" ------------------------------------------------ Principal name: HTTP/vm3.example.com Principal alias: HTTP/vm3.example.com Managed by: vm3.example.com [root@vm3 ~]# CERTSUBJ=$(ipa config-show | grep 'Certificate Subject base'|awk '{print $4}') [root@vm3 ~]# echo $CERTSUBJ O=EXAMPLE.COM [root@vm3 alias]# certutil -R -s "CN=$(hostname),$CERTSUBJ" -d . -a -z /etc/group > /tmp/$(hostname).csr Generating key. This may take a few moments... [root@vm3 alias]# ipa cert-request --principal=HTTP/$(hostname) /tmp/$(hostname).csr Issuing CA: ipa Certificate: MIIED....cert truncated... Subject: CN=vm3.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Sep 20 22:53:06 2016 UTC Not After: Fri Sep 21 22:53:06 2018 UTC Fingerprint (MD5): 3b:45:b8:a6:c6:d4:14:67:e6:61:76:0f:b0:86:a6:98 Fingerprint (SHA1): ae:5e:7d:14:08:93:ed:e0:98:13:63:12:ab:99:23:24:4f:73:52:f7 Serial number: 11 Serial number (hex): 0xB [root@vm3 alias]# ipa service-show HTTP/$(hostname) --out=/tmp/$(hostname).crt -------------------------------------------------------- Certificate(s) stored in file '/tmp/vm3.example.com.crt' -------------------------------------------------------- Principal name: HTTP/vm3.example.com Principal alias: HTTP/vm3.example.com Certificate: MIIED...cert truncated... Subject: CN=vm3.example.com,O=EXAMPLE.COM Serial Number: 11 Serial Number (hex): 0xB Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Sep 20 22:53:06 2016 UTC Not After: Fri Sep 21 22:53:06 2018 UTC Fingerprint (MD5): 3b:45:b8:a6:c6:d4:14:67:e6:61:76:0f:b0:86:a6:98 Fingerprint (SHA1): ae:5e:7d:14:08:93:ed:e0:98:13:63:12:ab:99:23:24:4f:73:52:f7 Keytab: False Managed by: vm3.example.com [root@vm3 alias]# wget http://vm1.example.com/ipa/config/ca.crt --2016-09-20 17:53:29-- http://vm1.example.com/ipa/config/ca.crt Resolving vm1.example.com (vm1.example.com)... 192.168.122.151 Connecting to vm1.example.com (vm1.example.com)|192.168.122.151|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1307 (1.3K) [application/x-x509-ca-cert] Saving to: ‘ca.crt’ 100%[=============================================================>] 1,307 --.-K/s in 0s 2016-09-20 17:53:29 (350 MB/s) - ‘ca.crt’ saved [1307/1307] [root@vm3 alias]# certutil -A -n $(hostname) -d . -t u,u,u -a < /tmp/$(hostname).crt Notice: Trust flag u is set automatically if the private key is present. [root@vm3 alias]# certutil -d . -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI cacert CTu,Cu,Cu beta u,pu,u vm3.example.com u,u,u alpha u,pu,u Server-Cert u,u,u [root@vm3 alias]# certutil -V -u V -d . -n $(hostname) certutil: certificate is valid [root@vm3 alias]# sed -ie "s/Server-Cert/$(hostname)/g" /etc/httpd/conf.d/nss.conf [root@vm3 alias]# sed -ie "s/^\(NSSRenegotiation\).*$/\1 on/g" /etc/httpd/conf.d/nss.conf [root@vm3 alias]# service httpd restart Redirecting to /bin/systemctl restart httpd.service [root@vm3 alias]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf [root@vm3 alias]# cat >> /etc/sssd/sssd.conf <<EOF > allowed_uids = apache, root > EOF [root@vm3 alias]# yum -y install sssd-dbus Loaded plugins: product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. ...yum truncated... [root@vm3 alias]# systemctl restart sssd [root@vm3 alias]# cat > /etc/httpd/conf.d/mywebapp.conf <<EOF > LoadModule lookup_identity_module modules/mod_lookup_identity.so > <Location /mywebapp> > NSSVerifyClient require > NSSUserName SSL_CLIENT_CERT > LookupUserByCertificate On > </Location> > EOF [root@vm3 alias]# mkdir /var/www/html/mywebapp [root@vm3 alias]# setsebool -P httpd_dbus_sssd 1 [root@vm3 alias]# echo PASS > /var/www/html/mywebapp/index.html [root@vm3 alias]# systemctl restart httpd [root@vm3 alias]# ipa user-add testuser --first=test --last=user --------------------- Added user "testuser" --------------------- User login: testuser First name: test Last name: user Full name: test user Display name: test user Initials: tu Home directory: /home/testuser GECOS: test user Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 635200001 GID: 635200001 Password: False Member of groups: ipausers Kerberos keys available: False [root@vm3 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout testuser.key -out testuser.csr -subj '/CN=testuser' Generating a 2048 bit RSA private key .............+++ .....................................................................................................................................+++ writing new private key to 'testuser.key' ----- [root@vm3 ~]# ipa cert-request testuser.csr --principal testuser Issuing CA: ipa Certificate: MIIEB...cert truncated... Subject: CN=testuser,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Sep 20 23:02:46 2016 UTC Not After: Fri Sep 21 23:02:46 2018 UTC Fingerprint (MD5): 8d:62:80:40:f3:a5:21:76:3e:2d:c8:2b:aa:17:5f:ff Fingerprint (SHA1): f0:6b:16:d7:b4:33:e7:b1:60:7e:bd:69:0f:7a:fc:26:15:30:9d:55 Serial number: 12 Serial number (hex): 0xC [root@vm3 ~]# ipa user-show testuser --out=testuser.crt -------------------------------------------- Certificate(s) stored in file 'testuser.crt' -------------------------------------------- User login: testuser First name: test Last name: user Home directory: /home/testuser Login shell: /bin/sh Principal name: testuser Principal alias: testuser Email address: testuser UID: 635200001 GID: 635200001 Certificate: MIIEB...cert truncated... Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@vm3 ~]# cd /etc/httpd/alias/ [root@vm3 alias]# chown apache /etc/http.keytab [root@vm3 alias]# chmod 600 /etc/http.keytab [root@vm3 alias]# service httpd restart Redirecting to /bin/systemctl restart httpd.service [root@vm3 alias]# setsebool -P httpd_dbus_sssd 1 [root@vm3 alias]# curl --key /root/testuser.key --cert /root/testuser.crt -ki https://$( hostname ):8443/mywebapp/ HTTP/1.1 200 OK Date: Tue, 20 Sep 2016 23:14:16 GMT Server: Apache/2.4.6 (Red Hat Enterprise Linux) mod_nss/1.0.14 NSS/3.21 Basic ECC Last-Modified: Tue, 20 Sep 2016 23:00:52 GMT ETag: "5-53cf8667b6ccf" Accept-Ranges: bytes Content-Length: 5 Content-Type: text/html; charset=UTF-8 PASS [root@vm3 alias]# tail -1 /var/log/httpd/access_log 192.168.122.153 - testuser [20/Sep/2016:18:14:16 -0500] "GET /mywebapp/ HTTP/1.1" 200 5 Forgot to add version. mod_nss-1.0.14-5.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2602.html |