[Fedora-directory-commits] adminserver/admserv/cfgstuff admserv.conf, 1.11, 1.12 httpd.conf, 1.6, 1.7
Richard Allen Megginson (rmeggins)
fedora-directory-commits at redhat.com
Wed Dec 7 20:46:13 UTC 2005
Author: rmeggins
Update of /cvs/dirsec/adminserver/admserv/cfgstuff
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3638/adminserver/admserv/cfgstuff
Modified Files:
admserv.conf httpd.conf
Log Message:
Bug(s) fixed: 174837
Bug Description: CVE-2005-3630 use of IFRAME exposes password from adm.conf for users
Reviewed by: Nathan, Rob C. (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=121993
Branch: HEAD
Fix Description: Just use the existing Apache security mechanisms to deny access to everything by default, then allow access to certain directories. In addition, there is a patch file I've checked in which can apply these diffs to an existing FDS 1.0 installtion. I've changed the packaging makefile to package the patch file into the setup directory where it will be used to patch an upgrade install of FDS 1.0.1 on top of FDS 1.0.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Index: admserv.conf
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- admserv.conf 19 Nov 2005 00:43:02 -0000 1.11
+++ admserv.conf 7 Dec 2005 20:46:06 -0000 1.12
@@ -25,7 +25,7 @@
SetEnv ADMSERV_ROOT %%%sroot%%%/admin-serv/config/
ADMCacheLifeTime 600
-ADMServerVersionString "Fedora-Administrator/1.0"
+ADMServerVersionString "Fedora-Administrator/1.0.1"
ScriptAlias /clients/orgchart/bin/ "%%%sroot%%%/clients/orgchart/bin/"
ScriptAlias /clients/dsgw/bin/ "%%%sroot%%%/clients/dsgw/bin/"
@@ -33,6 +33,45 @@
ScriptAlias /dist/ "%%%sroot%%%/dist/"
ScriptAlias /manual/help/ %%%sroot%%%/manual/help/
+# all access is explicitly denied by default in httpd.conf
+# the following Directory directives turn on access for specific
+# directories
+<Directory "%%%sroot%%%/java/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/manual/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/clients/*/*html/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/clients/dsgw/*config/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/bin/admin/admin/icons/">
+ AllowOverride None
+ Options None
+ Order allow,deny
+ Allow from all
+</Directory>
+
+# enable access for CGI progs/scripts
<Directory "%%%sroot%%%/clients/orgchart/bin/">
AllowOverride None
Options None
@@ -69,6 +108,8 @@
AuthType basic
AuthName "Admin Server"
Require valid-user
+ Order allow,deny
+ Allow from all
</Location>
# Handle Other Console tasks
@@ -79,6 +120,8 @@
Require valid-user
AdminSDK on
Options +ExecCGI
+ Order allow,deny
+ Allow from all
</LocationMatch>
# Handle Admin Express
@@ -90,6 +133,8 @@
AdminSDK on
NESCompatEnv on
Options +ExecCGI
+ Order allow,deny
+ Allow from all
</LocationMatch>
# Handle internal commands
@@ -98,6 +143,8 @@
AuthType basic
AuthName "Admin Server"
Require valid-user
+ Order allow,deny
+ Allow from all
</LocationMatch>
# Handle Stop, Start, Restart, Instance Creation - invoke mod_restartd
@@ -112,4 +159,6 @@
AdminSDK off
Options +ExecCGI
RetainPerms on
+ Order allow,deny
+ Allow from all
</LocationMatch>
Index: httpd.conf
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/httpd.conf,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- httpd.conf 3 Nov 2005 23:20:49 -0000 1.6
+++ httpd.conf 7 Dec 2005 20:46:06 -0000 1.7
@@ -248,9 +248,10 @@
#
# Controls who can get stuff from this server.
-#
- Order allow,deny
- Allow from all
+# By default, no one may access anything
+# Access must be explicitly granted in admserv.conf
+ Order deny,allow
+ Deny from all
</Directory>
More information about the Fedora-directory-commits
mailing list