[rancid] Re: No Password required to read Configs.

Omachonu Ogali oogali at gmail.com
Thu Apr 8 16:54:52 UTC 2010


That's not really an easy answer. That completely eliminates the web access
of RANCID, which eliminates the ability to view differences between two
archived configurations.

The real answer is to configure the web server to do the appropriate
authentication and authorization so that a username and password is required
to view configurations. That's something you have to refer to your web
server's documentation for.

oo

2010/4/8 <Dan_Mitton at ymp.gov>

>
> Nicky,
>
> What OS are we talking about?  The easy answer is to remove cvsweb.cgi, but
> if you don't want to do that, make sure that your web server and rancid
> processes run with separate user id's and that the two can not read each
> others files.
>
> Dan
>
>
> Sent by:        rancid-discuss-bounces at shrubbery.net
>
> To:        rancid-discuss at shrubbery.net
> cc:         (bcc: Dan Mitton/YD/RWDOE)
> Subject:        [rancid]  No Password required to read Configs.
>
> LSN: Not Relevant - Not Privileged
> User Filed as: Excl/AdminMgmt-14-4/QA:N/A
>
> Hi All,
>
> We have a Rancid installation on an internal IP.  Everything is pretty much
> default and only our Cisco devices are managed through Rancid.  I just
> noticed a truck sized hole in my config however.
>
> If you enter *http://192.168.32.2/cgi-bin/cvsweb.cgi/*<http://192.168.32.2/cgi-bin/cvsweb.cgi/>
>    on your browser, you can access the config files for all our devices
> without a password.
>
>
> I have limited the IPs which can reach port 80 but that is far from
> enough.  What must I change to protect this data?  Is there a howto?  Did I
> miss a section of the installation manual?
>
> Nicky._______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20100408/3ebd0dcc/attachment.html 


More information about the Rancid-discuss mailing list