Dan,<br><br>The OS is Linux. CentOS. The Webserver is the Apache that ships with that distribution. Again, pretty much the default installation. <br><br>Linux-: 2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux<br>
# /usr/sbin/httpd -v<br>Server version: Apache/2.2.3<br>Server built: Jul 14 2009 06:04:04<br><br>I have removed cvsweb.cgi and stopped sweating as nobody has access to the system via http right now. <br><br>Some of our admins will need such access however so any further information would be helpful. Even if it's "Go ask on the foobar list instead."<br>
<br><div class="gmail_quote">On Thu, Apr 8, 2010 at 12:43 PM, <span dir="ltr"><<a href="mailto:Dan_Mitton@ymp.gov">Dan_Mitton@ymp.gov</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><font face="sans-serif" size="2">Nicky,</font>
<br>
<br><font face="sans-serif" size="2">What OS are we talking about? The
easy answer is to remove cvsweb.cgi, but if you don't want to do that,
make sure that your web server and rancid processes run with separate user
id's and that the two can not read each others files.</font>
<br>
<br><font face="sans-serif" size="2">Dan</font>
<br>
<br>
<br>
<p><font face="sans-serif" size="1" color="#800080">Sent by:
<a href="mailto:rancid-discuss-bounces@shrubbery.net" target="_blank">rancid-discuss-bounces@shrubbery.net</a></font>
</p><p><font face="sans-serif" size="1" color="#800080">To:
</font><font face="sans-serif" size="1"><a href="mailto:rancid-discuss@shrubbery.net" target="_blank">rancid-discuss@shrubbery.net</a></font>
<br><font face="sans-serif" size="1" color="#800080">cc:
</font><font face="sans-serif" size="1">(bcc: Dan Mitton/YD/RWDOE)</font>
<br><font face="sans-serif" size="1" color="#800080">Subject:
</font><font face="sans-serif" size="1">[rancid] No
Password required to read Configs.</font>
</p><div align="right">
<br><font face="sans-serif" size="1">LSN: </font><font face="sans-serif" size="1" color="#008000">Not
Relevant - Not Privileged</font>
<br><font face="sans-serif" size="1">User Filed as: </font><font face="sans-serif" size="1" color="blue">Excl/AdminMgmt-14-4/QA:N/A</font>
<br></div><div><div></div><div class="h5">
<br><font size="3">Hi All,<br>
<br>
We have a Rancid installation on an internal IP. Everything is pretty
much default and only our Cisco devices are managed through Rancid.
I just noticed a truck sized hole in my config however. <br>
<br>
If you enter </font><a href="http://192.168.32.2/cgi-bin/cvsweb.cgi/" target="_blank"><font size="3" color="blue"><u>http://192.168.32.2/cgi-bin/cvsweb.cgi/</u></font></a></div></div><font size="3">
on your browser, you can access the config files for all our devices without
a password.<div><div></div><div class="h5"><br>
<br>
I have limited the IPs which can reach port 80 but that is far from enough.
What must I change to protect this data? Is there a howto?
Did I miss a section of the installation manual? <br>
<br></div></div>
Nicky.</font><tt><font size="2">_______________________________________________<br>
Rancid-discuss mailing list<br>
<a href="mailto:Rancid-discuss@shrubbery.net" target="_blank">Rancid-discuss@shrubbery.net</a><br>
</font></tt><a href="http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss" target="_blank"><tt><font size="2">http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss</font></tt></a>
<br>
<br></blockquote></div><br>