1823626 – Incorrect awstats.conf leading to inaccessible resources

Bug 1823626 - Incorrect awstats.conf leading to inaccessible resources

Summary: Incorrect awstats.conf leading to inaccessible resources

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	awstats
Sub Component:
Version:	epel8
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Tim Jackson
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-04-14 05:30 UTC by Max
Modified:	2020-08-25 01:19 UTC (History)
CC List:	3 users (show)
Fixed In Version:	awstats-7.8-1.el8
Clone Of:
Environment:
Last Closed:	2020-08-25 01:19:41 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
Fix incorrect paths in awstats.conf (1.30 KB, text/plain) 2020-08-05 07:18 UTC, Tim Jackson	no flags	Details
View All

Description Max 2020-04-14 05:30:02 UTC

Description of problem:
/etc/httpd/conf.d/awstats.conf file in the awstats package
1. has incorrect paths /usr/local instead of /usr/share
2. does not provide configuration for mod_authz_core module
   while mod_access_compat directives are ignored
So HTTP requests to awstats resources, e.g. icons, fail with errors

Version-Release number of selected component (if applicable):
CentOS-8.1 and RHEL-8.1
awstats-7.7-5.el8.noarch

How reproducible:
Can be easily reproduced.

Steps to Reproduce:
1. Install httpd
2. Install awstats (currently it requires --enablerepo epel-testing
   due to the Bug #1819456 related to required perl packages)
3. Try to get some icon
   curl -I 127.0.0.1/awstatsicons/cpu/ibm.png

Actual results:
HTTP/1.1 403 Forbidden
in the case of simple curl request

Statistics page has lack of icons.

If fail2ban is installed on the server and statistics page
is accessed from a browser then the client IP is banned.

Expected results:
HTTP/1.1 200 OK
in the case of the curl request

Working statisitcs pages.


Additional info:

Expected configuration shipped in the package

--- /etc/httpd/conf.d/awstats.conf.orig 2020-04-14 04:53:51.327456372 +0000
+++ /etc/httpd/conf.d/awstats.conf      2020-04-14 05:16:14.134450340 +0000
@@ -12,18 +12,17 @@
 # Directives to add to your Apache conf file to allow use of AWStats as a CGI.
 # Note that path "/usr/local/awstats/" must reflect your AWStats install path.
 #
-Alias /awstatsclasses "/usr/local/awstats/wwwroot/classes/"
-Alias /awstatscss "/usr/local/awstats/wwwroot/css/"
-Alias /awstatsicons "/usr/local/awstats/wwwroot/icon/"
-ScriptAlias /awstats/ "/usr/local/awstats/wwwroot/cgi-bin/"
+Alias /awstatsclasses "/usr/share/awstats/wwwroot/classes/"
+Alias /awstatscss "/usr/share/awstats/wwwroot/css/"
+Alias /awstatsicons "/usr/share/awstats/wwwroot/icon/"
+ScriptAlias /awstats/ "/usr/share/awstats/wwwroot/cgi-bin/"
 
 
 #
 # This is to permit URL access to scripts/files in AWStats directory.
 #
-<Directory "/usr/local/awstats/wwwroot">
+<Directory "/usr/share/awstats/wwwroot">
     Options None
     AllowOverride None
-    Order allow,deny
-    Allow from all
+    Require all granted
 </Directory>

Notice in /etc/httpd/conf/httpd.conf
<Directory />
    AllowOverride none
    Require all denied
</Directory>

https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
> The directives provided by mod_access_compat have been deprecated by mod_authz_host. Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged.

/var/log/httpd/error_log
[Tue Apr 14 12:14:06.391873 2020] [authz_core:debug] [pid 5410:tid 140559473682176] mod_authz_core.c(820): [client 127.0.0.1:53888] AH01626: authorization result of Require all denied: denied
[Tue Apr 14 12:14:06.391909 2020] [authz_core:debug] [pid 5410:tid 140559473682176] mod_authz_core.c(820): [client 127.0.0.1:53888] AH01626: authorization result of <RequireAny>: denied
[Tue Apr 14 12:14:06.391914 2020] [authz_core:error] [pid 5410:tid 140559473682176] [client 127.0.0.1:53888] AH01630: client denied by server configuration: /usr/local/awstats

Comment 1 Tim Jackson 2020-08-05 07:18:24 UTC

Created attachment 1710477 [details]
Fix incorrect paths in awstats.conf

Trivial patch to fix this

Comment 2 Tim Jackson 2020-08-05 07:19:53 UTC

I've attached a patch and shared this with the maintainer; however, even after applying this patch I've noted some other path-related issues (references to /usr/local/awstats in various files)

Comment 3 Fedora Update System 2020-08-07 02:59:41 UTC

FEDORA-EPEL-2020-3e15414000 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-3e15414000

Comment 4 Fedora Update System 2020-08-08 01:33:55 UTC

FEDORA-EPEL-2020-3e15414000 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-3e15414000

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2020-08-10 01:08:06 UTC

FEDORA-EPEL-2020-539ebf7d91 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-539ebf7d91

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Fedora Update System 2020-08-25 01:19:41 UTC

FEDORA-EPEL-2020-539ebf7d91 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.