Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 596112

Summary: restrict rights for /server-status and /icons/README files
Product: Red Hat Satellite 5 Reporter: Petr Sklenar <psklenar>
Component: ServerAssignee: Jan Pazdziora <jpazdziora>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Minar <mminar>
Severity: medium Docs Contact:
Priority: medium    
Version: 530CC: cperry, jlieskov, jpazdziora, mkoci, mminar, msuchy, pb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spacewalk-config-1.1.5-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-28 14:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 608752    

Description Petr Sklenar 2010-05-26 10:43:38 UTC
Description of problem:
There is some information which is shown to anybody. It would be more secure to restrict right for that.

Version-Release number of selected component (if applicable):
sat530 + spacewalk10

How reproducible:
always

Steps to Reproduce:
1. go like a non authenticated user to www page:
<FQDN_OF_SATELLITE>/server-status

2. <FQDN_OF_SATELLITE>/icons/README
Apache default file found.


Actual results:
This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.

Expected results:
its not shown to any non-authenticated user

Additional info:

Comment 2 Jan Pazdziora 2010-05-27 13:05:00 UTC
(In reply to comment #0)
> Description of problem:
> There is some information which is shown to anybody. It would be more secure to
> restrict right for that.
> 
> Version-Release number of selected component (if applicable):
> sat530 + spacewalk10
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. go like a non authenticated user to www page:
> <FQDN_OF_SATELLITE>/server-status

The reason why we configure server status to be shown is monitoring -- it allows us to then have Satellite's httpd monitored by itself or by other monitoring scouts.

> 2. <FQDN_OF_SATELLITE>/icons/README
> Apache default file found.

I've just tried that this is the default RHEL httpd behaviour. IOW, even on pure RHEL with httpd and no Satellite nor Spacewalk packages, the /icons/README is accessible.

So the second issue is not Satellite issue.

As for the first issue -- we can certainly remove that

<Location /server-status>
        SetHandler server-status
</Location>

part from /etc/rhn/satellite-httpd/conf/rhn/rhn_monitoring.conf but I do not see it as Satellite 5.3.1 material -- if we did that, monitoring could stop working for our customers.

Therefore, moving this bugzilla to sat600-triage.

Revert if you disagree.

Comment 4 Jan Pazdziora 2010-07-20 14:15:00 UTC
Taking.

Comment 6 Jan Pazdziora 2010-07-20 14:20:16 UTC
The /server-status issue fixed in Spacewalk mater, fe960724e3f85f2d1f17a44459ddb2516c8189d9.

We don't plan to do anything about that /icons/README as it is stock httpd configuration.

Comment 7 Peter Bieringer 2010-08-03 15:56:03 UTC
A workaround for the server-status is:

# cat <<END >/etc/httpd/conf.d/yy-server-status-acl.conf
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
</Location>
END

Comment 9 Jan Pazdziora 2010-08-19 09:59:10 UTC
Moving ON_QA as Satellite-5.4.0-RHEL5-re20100818.0 contains spacewalk-config-1.1.7-1.el5sat.noarch.rpm.

Comment 10 Martin Minar 2010-09-03 12:39:02 UTC
Verified in Satellite-5.4.0-RHEL5-re20100827.0-x86_64.iso

Comment 12 Clifford Perry 2010-10-28 14:52:02 UTC
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford