1180746 – [RFE] Symbolic links should not point to a file outside the document root

Bug 1180746 - [RFE] Symbolic links should not point to a file outside the document root

Summary: [RFE] Symbolic links should not point to a file outside the document root

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Appliance
Sub Component:
Version:	5.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	low
Target Milestone:	GA
Target Release:	5.4.0
Assignee:	Joe Rafaniello
QA Contact:	Pete Savage
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-01-09 21:27 UTC by Jared Deubel
Modified:	2019-07-11 08:31 UTC (History)
CC List:	9 users (show)
Fixed In Version:	5.4.0.0.11
Doc Type:	Enhancement
Doc Text:	This version of CloudForms Management Engine removes all symbolic links in the HTTPD document root that were pointing to files outside the HTTPD document root. This feature enhances the security standards.
Clone Of:
Environment:
Last Closed:	2015-06-16 12:47:27 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:1100	0	normal	SHIPPED_LIVE	CFME 5.4.0 bug fixes, and enhancement update	2015-06-16 16:28:42 UTC

Comment 9 Joe Rafaniello 2015-04-17 19:40:17 UTC

Pete, can you confirm making the change in this PR doesn't blow things up?

https://github.com/ManageIQ/manageiq/pull/2669


diff --git a/system/COPY/etc/httpd/conf.d/cfme-http.conf b/system/COPY/etc/httpd/conf.d/cfme-http.conf
index e49514b..475962d 100644
--- a/system/COPY/etc/httpd/conf.d/cfme-http.conf
+++ b/system/COPY/etc/httpd/conf.d/cfme-http.conf
@@ -5,7 +5,7 @@ Timeout 120

 # Disable this section if using HTTP only
 RewriteEngine On
-Options +FollowSymlinks
+Options SymLinksIfOwnerMatch


Restart apache and verify things start up and it should be good.

Comment 10 CFME Bot 2015-04-20 13:42:56 UTC

New commit detected on manageiq/master:
https://github.com/ManageIQ/manageiq/commit/692507edd4a28248f86182aa11aa7901e1464472

commit 692507edd4a28248f86182aa11aa7901e1464472
Author:     Joe Rafaniello <jrafanie>
AuthorDate: Fri Apr 17 15:33:38 2015 -0400
Commit:     Joe Rafaniello <jrafanie>
CommitDate: Fri Apr 17 15:34:42 2015 -0400

    Only allow symlinks in apache if the owner's match.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1180746
    
    [skip ci]

 system/COPY/etc/httpd/conf.d/cfme-http.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 12 Joe Rafaniello 2015-05-20 15:28:23 UTC

Pete, you can verify that the /etc/httpd/conf.d/cfme-http.conf has the changes mentioned in comment 9?  I'm not sure how to verify this bug any further.

Comment 13 Pete Savage 2015-06-03 06:23:02 UTC

The file is in place and the appliance is working, so I am verifying this

Verified in 5.4.0.4

Comment 15 errata-xmlrpc 2015-06-16 12:47:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1100.html

Note You need to log in before you can comment on or make changes to this bug.