diff --git a/enabled_in_check_uid.patch b/enabled_in_check_uid.patch new file mode 100644 index 0000000..ba99055 --- /dev/null +++ b/enabled_in_check_uid.patch @@ -0,0 +1,34 @@ +commit 912aa852ebd78577f59cf7958c709acea98ace4c +Author: John Dennis +Date: Fri Apr 8 09:01:22 2016 -0400 + + am_check_uid() should be no-op if mellon not enabled + + mod_auth_mellon was interferring with other Apache authentication + modules (e.g. mod_auth_kerb) because when the Apache check_user_id + hook ran the logic in am_check_uid would execute even if mellon was + not enabled for the location. This short circuited the hook execution + and never allowed the authentication enabled for the location to + execute. It resulted in HTTP_UNAUTHORIZED being returned with the + client then expecting a WWW-Authenticate header field causing the + client to attempt to authenticate again. + + Signed-off-by: John Dennis + +diff --git a/auth_mellon_handler.c b/auth_mellon_handler.c +index a72e1ca..864396f 100644 +--- a/auth_mellon_handler.c ++++ b/auth_mellon_handler.c +@@ -3625,6 +3625,12 @@ int am_check_uid(request_rec *r) + return OK; + } + ++ /* Check that the user has enabled authentication for this directory. */ ++ if(dir->enable_mellon == am_enable_off ++ || dir->enable_mellon == am_enable_default) { ++ return DECLINED; ++ } ++ + #ifdef HAVE_ECP + am_req_cfg_rec *req_cfg = am_get_req_cfg(r); + if (req_cfg->ecp_authn_req) { diff --git a/mod_auth_mellon.spec b/mod_auth_mellon.spec index 928c5d3..b99d234 100644 --- a/mod_auth_mellon.spec +++ b/mod_auth_mellon.spec @@ -1,7 +1,7 @@ Summary: A SAML 2.0 authentication module for the Apache Httpd Server Name: mod_auth_mellon Version: 0.12.0 -Release: 1%{?dist} +Release: 2%{?dist} Group: System Environment/Daemons Source0: https://github.com/UNINETT/mod_auth_mellon/releases/download/v%{version}/%{name}-%{version}.tar.gz Source1: auth_mellon.conf @@ -19,6 +19,9 @@ Requires: httpd-mmn = %{_httpd_mmn} Requires: lasso >= 2.5.0 Url: https://github.com/UNINETT/mod_auth_mellon +Patch1: enabled_in_check_uid.patch + + %description The mod_auth_mellon module is an authentication service that implements the SAML 2.0 federation protocol. It grants access based on the attributes @@ -26,6 +29,7 @@ received in assertions generated by a IdP server. %prep %setup -q -n %{name}-%{version} +%patch1 -p1 %build export APXS=%{_httpd_apxs} @@ -67,6 +71,10 @@ install -m 755 %{SOURCE4} %{buildroot}/%{_libexecdir}/%{name} %dir /run/%{name}/ %changelog +* Tue May 3 2016 John Dennis - 0.12.0-2 +- Resolves: bug #1332729, mellon conflicts with mod_auth_openidc +- am_check_uid() should be no-op if mellon not enabled + * Wed Mar 9 2016 John Dennis - 0.12.0-1 - Update to new upstream 0.12.0 - [CVE-2016-2145] Fix DOS attack (Apache worker process crash) due to