Bug 609856

This bug appears to have been reported against 'rawhide' during the Fedora 14 development cycle.
Changing version to '14'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

(This is still present in rawhide, so I'm bumping the version back up.)

When I looked into this problem a while ago, I came up with a "blacklist" of things that should never be loaded. Here's a snippet of my httpd.conf

<Directory /var/www/cacti/>
<FilesMatch (cmd|copy_cacti_user|poller|poller_commands|poller_export|poller_reindex_hosts|rebuild_poller_cache|script_server).php>
        order deny,allow
        Deny from all
</FilesMatch>
</Directory>

<Directory /var/www/cacti/scripts>
    order deny,allow
    Deny from all
</Directory>
<Directory /var/www/cacti/include>
    order deny,allow
    Deny from all
    <FilesMatch (.gif|.css|.js)$>
        order allow,deny
        Allow from all
    </FilesMatch>
</Directory>

Feel free to use this for inspiration. You could certainly add /rra and /log to the blacklist.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Please test this update.  It's built for F-14, but I'd like it tested before I put it in rawhide or older.

Thanks!

http://zanoni.jcomserv.net/fedora/cacti/cacti-0.8.7g-3.fc14.noarch.rpm

Jon,

I took a look at that RPM. Here are my three suggestions:

1. On the original subject of this bug, I don't see the /log or /rra directories denied anywhere. You should probably insert the following additional sections to /etc/httpd/conf.d/cacti.conf:

<Directory /usr/share/cacti/log>
    order deny,allow
    Deny from all
</Directory>
<Directory /usr/share/cacti/rra>
    order deny,allow
    Deny from all
</Directory>

2. To keep with the "localhost only, out of the box" convention, you should probably modify my suggested configuration from "Allow from all" to "allow from 127.0.0.1" in the /include directory. It would look like this:

<Directory /usr/share/cacti/include>
    order deny,allow
    Deny from all
    <FilesMatch (.gif|.css|.js)$>
        order allow,deny
        Allow from 127.0.0.1
    </FilesMatch>
</Directory>

3. To help out the user, it would be useful to add a note in either README.cacti or etc/httpd/conf.d/cacti.conf (my preference). Something like:

# Users: Change "Allow from 127.0.0.1" to open up cacti to other network devices. For example, change "Allow from 127.0.0.1" to "Allow from all".
# The sections marked "deny from all" should not be modified. These are in place in order to harden cacti.

Initial fix committed in 236450cab3.

cacti-0.8.7h-2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/cacti-0.8.7h-2.fc16

cacti-0.8.7h-2.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

cacti-0.8.7i-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/cacti-0.8.7i-1.el6

cacti-0.8.7i-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/cacti-0.8.7i-1.el5

cacti-0.8.7i-1.el4 has been submitted as an update for Fedora EPEL 4.
https://admin.fedoraproject.org/updates/cacti-0.8.7i-1.el4

cacti-0.8.7i-2.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

cacti-0.8.7i-2.el4.1 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.

cacti-0.8.7i-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.