[rancid] Re: No Password required to read Configs.
nickyicebrown at gmail.com
Thu Apr 8 17:07:42 UTC 2010
The OS is Linux. CentOS. The Webserver is the Apache that ships with that
distribution. Again, pretty much the default installation.
Linux-: 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386
# /usr/sbin/httpd -v
Server version: Apache/2.2.3
Server built: Jul 14 2009 06:04:04
I have removed cvsweb.cgi and stopped sweating as nobody has access to the
system via http right now.
Some of our admins will need such access however so any further information
would be helpful. Even if it's "Go ask on the foobar list instead."
On Thu, Apr 8, 2010 at 12:43 PM, <Dan_Mitton at ymp.gov> wrote:
> What OS are we talking about? The easy answer is to remove cvsweb.cgi, but
> if you don't want to do that, make sure that your web server and rancid
> processes run with separate user id's and that the two can not read each
> others files.
> Sent by: rancid-discuss-bounces at shrubbery.net
> To: rancid-discuss at shrubbery.net
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: [rancid] No Password required to read Configs.
> LSN: Not Relevant - Not Privileged
> User Filed as: Excl/AdminMgmt-14-4/QA:N/A
> Hi All,
> We have a Rancid installation on an internal IP. Everything is pretty much
> default and only our Cisco devices are managed through Rancid. I just
> noticed a truck sized hole in my config however.
> If you enter *http://192.168.32.2/cgi-bin/cvsweb.cgi/*<http://192.168.32.2/cgi-bin/cvsweb.cgi/>
> on your browser, you can access the config files for all our devices
> without a password.
> I have limited the IPs which can reach port 80 but that is far from
> enough. What must I change to protect this data? Is there a howto? Did I
> miss a section of the installation manual?
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Rancid-discuss