Bug 596112
| Summary: | restrict rights for /server-status and /icons/README files | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Petr Sklenar <psklenar> |
| Component: | Server | Assignee: | Jan Pazdziora (Red Hat) <jpazdziora> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Minar <mminar> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 530 | CC: | cperry, jlieskov, jpazdziora, mkoci, mminar, msuchy, pb |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | spacewalk-config-1.1.5-1 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-10-28 14:56:53 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 608752 | ||
|
Description
Petr Sklenar
2010-05-26 10:43:38 UTC
(In reply to comment #0) > Description of problem: > There is some information which is shown to anybody. It would be more secure to > restrict right for that. > > Version-Release number of selected component (if applicable): > sat530 + spacewalk10 > > How reproducible: > always > > Steps to Reproduce: > 1. go like a non authenticated user to www page: > <FQDN_OF_SATELLITE>/server-status The reason why we configure server status to be shown is monitoring -- it allows us to then have Satellite's httpd monitored by itself or by other monitoring scouts. > 2. <FQDN_OF_SATELLITE>/icons/README > Apache default file found. I've just tried that this is the default RHEL httpd behaviour. IOW, even on pure RHEL with httpd and no Satellite nor Spacewalk packages, the /icons/README is accessible. So the second issue is not Satellite issue. As for the first issue -- we can certainly remove that <Location /server-status> SetHandler server-status </Location> part from /etc/rhn/satellite-httpd/conf/rhn/rhn_monitoring.conf but I do not see it as Satellite 5.3.1 material -- if we did that, monitoring could stop working for our customers. Therefore, moving this bugzilla to sat600-triage. Revert if you disagree. Taking. The /server-status issue fixed in Spacewalk mater, fe960724e3f85f2d1f17a44459ddb2516c8189d9. We don't plan to do anything about that /icons/README as it is stock httpd configuration. A workaround for the server-status is:
# cat <<END >/etc/httpd/conf.d/yy-server-status-acl.conf
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
</Location>
END
Moving ON_QA as Satellite-5.4.0-RHEL5-re20100818.0 contains spacewalk-config-1.1.7-1.el5sat.noarch.rpm. Verified in Satellite-5.4.0-RHEL5-re20100827.0-x86_64.iso The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332 RHEA-2010:0803 - RHN Tools enhancement update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333 RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334 RHEA-2010:0800 - RHN Satellite Server 5.4.0 https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335 Docs are available: http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html Regards, Clifford |