[Fedora-directory-commits] adminserver/admserv/cfgstuff admserv.conf, 1.11, 1.12 httpd.conf, 1.6, 1.7

Richard Allen Megginson (rmeggins) fedora-directory-commits at redhat.com
Wed Dec 7 20:46:13 UTC 2005 

Author: rmeggins

Update of /cvs/dirsec/adminserver/admserv/cfgstuff
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3638/adminserver/admserv/cfgstuff

Modified Files:
	admserv.conf httpd.conf 
Log Message:
Bug(s) fixed: 174837
Bug Description: CVE-2005-3630 use of IFRAME exposes password from adm.conf for users
Reviewed by: Nathan, Rob C. (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=121993
Branch: HEAD
Fix Description: Just use the existing Apache security mechanisms to deny access to everything by default, then allow access to certain directories.  In addition, there is a patch file I've checked in which can apply these diffs to an existing FDS 1.0 installtion.  I've changed the packaging makefile to package the patch file into the setup directory where it will be used to patch an upgrade install of FDS 1.0.1 on top of FDS 1.0.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none



Index: admserv.conf
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/admserv.conf,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- admserv.conf	19 Nov 2005 00:43:02 -0000	1.11
+++ admserv.conf	7 Dec 2005 20:46:06 -0000	1.12
@@ -25,7 +25,7 @@
 SetEnv ADMSERV_ROOT %%%sroot%%%/admin-serv/config/
 
 ADMCacheLifeTime 600
-ADMServerVersionString "Fedora-Administrator/1.0"
+ADMServerVersionString "Fedora-Administrator/1.0.1"
 
 ScriptAlias /clients/orgchart/bin/ "%%%sroot%%%/clients/orgchart/bin/"
 ScriptAlias /clients/dsgw/bin/ "%%%sroot%%%/clients/dsgw/bin/"
@@ -33,6 +33,45 @@
 ScriptAlias /dist/ "%%%sroot%%%/dist/"
 ScriptAlias /manual/help/ %%%sroot%%%/manual/help/
 
+# all access is explicitly denied by default in httpd.conf
+# the following Directory directives turn on access for specific
+# directories
+<Directory "%%%sroot%%%/java/">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/manual/">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/clients/*/*html/">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/clients/dsgw/*config/">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+<Directory "%%%sroot%%%/bin/admin/admin/icons/">
+    AllowOverride None
+    Options None
+    Order allow,deny
+    Allow from all
+</Directory>
+
+# enable access for CGI progs/scripts
 <Directory "%%%sroot%%%/clients/orgchart/bin/">
     AllowOverride None
     Options None
@@ -69,6 +108,8 @@
     AuthType basic
     AuthName "Admin Server"
     Require valid-user
+    Order allow,deny
+    Allow from all
 </Location>
 
 # Handle Other Console tasks
@@ -79,6 +120,8 @@
   Require valid-user
   AdminSDK on
   Options +ExecCGI
+  Order allow,deny
+  Allow from all
 </LocationMatch>
 
 # Handle Admin Express
@@ -90,6 +133,8 @@
   AdminSDK on
   NESCompatEnv on
   Options +ExecCGI
+  Order allow,deny
+  Allow from all
 </LocationMatch>
 
 # Handle internal commands
@@ -98,6 +143,8 @@
   AuthType basic
   AuthName "Admin Server"
   Require valid-user
+  Order allow,deny
+  Allow from all
 </LocationMatch>
 
 # Handle Stop, Start, Restart, Instance Creation - invoke mod_restartd
@@ -112,4 +159,6 @@
   AdminSDK off
   Options +ExecCGI
   RetainPerms on
+  Order allow,deny
+  Allow from all
 </LocationMatch>


Index: httpd.conf
===================================================================
RCS file: /cvs/dirsec/adminserver/admserv/cfgstuff/httpd.conf,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- httpd.conf	3 Nov 2005 23:20:49 -0000	1.6
+++ httpd.conf	7 Dec 2005 20:46:06 -0000	1.7
@@ -248,9 +248,10 @@
 
 #
 # Controls who can get stuff from this server.
-#
-    Order allow,deny
-    Allow from all
+# By default, no one may access anything
+# Access must be explicitly granted in admserv.conf
+    Order deny,allow
+    Deny from all
 
 </Directory>

More information about the Fedora-directory-commits mailing list