[rancid] Re: No Password required to read Configs.

Dan_Mitton at YMP.GOV Dan_Mitton at YMP.GOV
Thu Apr 8 16:43:42 UTC 2010


What OS are we talking about?  The easy answer is to remove cvsweb.cgi, 
but if you don't want to do that, make sure that your web server and 
rancid processes run with separate user id's and that the two can not read 
each others files.


Sent by:        rancid-discuss-bounces at shrubbery.net
To:     rancid-discuss at shrubbery.net
cc:      (bcc: Dan Mitton/YD/RWDOE)
Subject:        [rancid]  No Password required to read Configs.
LSN: Not Relevant - Not Privileged
User Filed as: Excl/AdminMgmt-14-4/QA:N/A

Hi All,

We have a Rancid installation on an internal IP.  Everything is pretty 
much default and only our Cisco devices are managed through Rancid.  I 
just noticed a truck sized hole in my config however.  

If you enter   on your browser, 
you can access the config files for all our devices without a password.

I have limited the IPs which can reach port 80 but that is far from 
enough.  What must I change to protect this data?  Is there a howto?  Did 
I miss a section of the installation manual? 

Rancid-discuss mailing list
Rancid-discuss at shrubbery.net

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20100408/816a3091/attachment.html 

More information about the Rancid-discuss mailing list