Bug 47244 – Replace "Order allow/deny" Apache config directive with "Require all granted/…"

Bug 47244 - Replace "Order allow/deny" Apache config directive with "Require all granted/…"


Summary:	Replace "Order allow/deny" Apache config directive with "Require all granted/…"

Status:	REOPENED

Product:	UCS
Classification:	Unclassified
Component:	Apache
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.2
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-06-25 15:55 CEST by Valentin Heidelberger
Modified:	2023-09-26 11:00 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	API change, Cleanup
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Valentin Heidelberger

2018-06-25 15:55:23 CEST

The UCR template for /etc/apache2/sites-available/univention-saml.conf uses both old Apache 2.2 and new Apache 2.4 access control Syntax. 

" old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. mod_access_compat was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the examples below to get a better idea about issues that might arise. "
Quote from: https://httpd.apache.org/docs/current/upgrading.html

The diff for new Apache 2.4 syntax looks as follows:

@@ -28,8 +28,7 @@
        </FilesMatch>
        Action php-cgi /saml-bin/php-cgi
 
-       Order allow,deny
-       Allow from all
+       Require all granted
 </Directory>
 <Directory /var/www/saml/>
        Options -Indexes

Comment 1 Mika Westphal

2023-01-26 13:18:03 CET

This is not as simple as it seems, because we don't have an drop-in replacement for the line "Order allow,deny".

The apache2 documentation says "Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. mod_access_compat was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the examples below to get a better idea about issues that might arise.".

This is a problem, because we have a UCR variable named "apache2/proxy/access/order", which is for setting this exact line which we should not mix with "Require".

In UCS, we use the UCR variable in the following source files:
- services/univention-apache/conffiles/etc/apache2/mods-available/proxy.conf
- services/univention-apache/debian/univention-apache.univention-config-registry
- services/univention-apache/debian/univention-apache.univention-config-registry-variables

In UCS, we use the Order instruction in the following source files:
- saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml.conf
- services/univention-apache/conffiles/etc/apache2/conf-available/ucs.conf
- services/univention-apache/conffiles/etc/apache2/mods-available/proxy.conf
- services/univention-printserver/conffiles/etc/cups/cupsd.conf.d/01cupsd-base
- services/univention-printserver/conffiles/etc/cups/cupsd.conf.d/02cups-access-limit

Comment 2 Florian Best

2023-09-26 11:00:48 CEST

A draft MR was: https://git.knut.univention.de/univention/ucs/-/merge_requests/599