Description of problem: There is some information which is shown to anybody. It would be more secure to restrict right for that. Version-Release number of selected component (if applicable): sat530 + spacewalk10 How reproducible: always Steps to Reproduce: 1. go like a non authenticated user to www page: <FQDN_OF_SATELLITE>/server-status 2. <FQDN_OF_SATELLITE>/icons/README Apache default file found. Actual results: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts. Expected results: its not shown to any non-authenticated user Additional info:
(In reply to comment #0) > Description of problem: > There is some information which is shown to anybody. It would be more secure to > restrict right for that. > > Version-Release number of selected component (if applicable): > sat530 + spacewalk10 > > How reproducible: > always > > Steps to Reproduce: > 1. go like a non authenticated user to www page: > <FQDN_OF_SATELLITE>/server-status The reason why we configure server status to be shown is monitoring -- it allows us to then have Satellite's httpd monitored by itself or by other monitoring scouts. > 2. <FQDN_OF_SATELLITE>/icons/README > Apache default file found. I've just tried that this is the default RHEL httpd behaviour. IOW, even on pure RHEL with httpd and no Satellite nor Spacewalk packages, the /icons/README is accessible. So the second issue is not Satellite issue. As for the first issue -- we can certainly remove that <Location /server-status> SetHandler server-status </Location> part from /etc/rhn/satellite-httpd/conf/rhn/rhn_monitoring.conf but I do not see it as Satellite 5.3.1 material -- if we did that, monitoring could stop working for our customers. Therefore, moving this bugzilla to sat600-triage. Revert if you disagree.
Taking.
The /server-status issue fixed in Spacewalk mater, fe960724e3f85f2d1f17a44459ddb2516c8189d9. We don't plan to do anything about that /icons/README as it is stock httpd configuration.
A workaround for the server-status is: # cat <<END >/etc/httpd/conf.d/yy-server-status-acl.conf <Location /server-status> SetHandler server-status Order deny,allow Deny from all </Location> END
Moving ON_QA as Satellite-5.4.0-RHEL5-re20100818.0 contains spacewalk-config-1.1.7-1.el5sat.noarch.rpm.
Verified in Satellite-5.4.0-RHEL5-re20100827.0-x86_64.iso
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford