[Pkg-nagios-devel] Bug#960675: Default apache.conf has broken authentication

Sven Bartscher sven.bartscher at credativ.de
Fri May 15 10:52:43 BST 2020

Package: icinga-cgi
Version: 1.14.2+ds-1
Severity: normal

In previous versions the shipped default apache2.conf contained these
authorization related directives:

Order Allow,Deny
Allow From all
Require valid-user

This had the effect that user had to authenticate (be a `valid-user`)
to access the web interface. However, in the version this bug applies
to, the `Order` and `Allow` directives have been replaced by a single
`Require all granted` directive. Now the two `Require' directives
interact differently, than was previously intended. Instead of
requiring a `valid-user` the `all granted` now takes precedence and
users aren't required to authenticate.

I'm aware this probably won't get fixed, because the icinga package
was removed from unstable. I'm just filing this bug to document it for
anyone who might come across this problem.


-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (990, 'testing-debug'), (990, 'testing'), (102, 'unstable-debug'), (102, 'unstable'), (101, 'experimental-debug'), (101, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=de_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-nagios-devel mailing list