Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 596112 - restrict rights for /server-status and /icons/README files
Summary: restrict rights for /server-status and /icons/README files
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 530
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jan Pazdziora
QA Contact: Martin Minar
URL:
Whiteboard:
Depends On:
Blocks: sat540-canfix
TreeView+ depends on / blocked
 
Reported: 2010-05-26 10:43 UTC by Petr Sklenar
Modified: 2016-07-04 00:55 UTC (History)
7 users (show)

Fixed In Version: spacewalk-config-1.1.5-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-28 14:56:53 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Petr Sklenar 2010-05-26 10:43:38 UTC
Description of problem:
There is some information which is shown to anybody. It would be more secure to restrict right for that.

Version-Release number of selected component (if applicable):
sat530 + spacewalk10

How reproducible:
always

Steps to Reproduce:
1. go like a non authenticated user to www page:
<FQDN_OF_SATELLITE>/server-status

2. <FQDN_OF_SATELLITE>/icons/README
Apache default file found.


Actual results:
This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.

Expected results:
its not shown to any non-authenticated user

Additional info:

Comment 2 Jan Pazdziora 2010-05-27 13:05:00 UTC
(In reply to comment #0)
> Description of problem:
> There is some information which is shown to anybody. It would be more secure to
> restrict right for that.
> 
> Version-Release number of selected component (if applicable):
> sat530 + spacewalk10
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. go like a non authenticated user to www page:
> <FQDN_OF_SATELLITE>/server-status

The reason why we configure server status to be shown is monitoring -- it allows us to then have Satellite's httpd monitored by itself or by other monitoring scouts.

> 2. <FQDN_OF_SATELLITE>/icons/README
> Apache default file found.

I've just tried that this is the default RHEL httpd behaviour. IOW, even on pure RHEL with httpd and no Satellite nor Spacewalk packages, the /icons/README is accessible.

So the second issue is not Satellite issue.

As for the first issue -- we can certainly remove that

<Location /server-status>
        SetHandler server-status
</Location>

part from /etc/rhn/satellite-httpd/conf/rhn/rhn_monitoring.conf but I do not see it as Satellite 5.3.1 material -- if we did that, monitoring could stop working for our customers.

Therefore, moving this bugzilla to sat600-triage.

Revert if you disagree.

Comment 4 Jan Pazdziora 2010-07-20 14:15:00 UTC
Taking.

Comment 6 Jan Pazdziora 2010-07-20 14:20:16 UTC
The /server-status issue fixed in Spacewalk mater, fe960724e3f85f2d1f17a44459ddb2516c8189d9.

We don't plan to do anything about that /icons/README as it is stock httpd configuration.

Comment 7 Peter Bieringer 2010-08-03 15:56:03 UTC
A workaround for the server-status is:

# cat <<END >/etc/httpd/conf.d/yy-server-status-acl.conf
<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
</Location>
END

Comment 9 Jan Pazdziora 2010-08-19 09:59:10 UTC
Moving ON_QA as Satellite-5.4.0-RHEL5-re20100818.0 contains spacewalk-config-1.1.7-1.el5sat.noarch.rpm.

Comment 10 Martin Minar 2010-09-03 12:39:02 UTC
Verified in Satellite-5.4.0-RHEL5-re20100827.0-x86_64.iso

Comment 12 Clifford Perry 2010-10-28 14:52:02 UTC
The 5.4.0 RHN Satellite and RHN Proxy release has occurred. This issue has been resolved with this release. 


RHEA-2010:0801 - RHN Satellite Server 5.4.0 Upgrade
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10332

RHEA-2010:0803 - RHN Tools enhancement update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10333

RHEA-2010:0802 - RHN Proxy Server 5.4.0 bug fix update
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10334

RHEA-2010:0800 - RHN Satellite Server 5.4.0
https://rhn.redhat.com/rhn/errata/details/Details.do?eid=10335

Docs are available:

http://docs.redhat.com/docs/en-US/Red_Hat_Network_Satellite/index.html 

Regards,
Clifford


Note You need to log in before you can comment on or make changes to this bug.