[rancid] Re: No Password required to read Configs.

Chris Gauthier cgauthier at mapscu.com
Thu Apr 8 17:16:44 UTC 2010 

Here is a quickie tutorial on .htaccess for password authentication:

http://www.csoft.net/docs/htaccess.html.en

Chris G.


From: rancid-discuss-bounces at shrubbery.net [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Nicky Brown
Sent: Thursday, April 08, 2010 7:08 AM
To: Dan_Mitton at ymp.gov
Cc: rancid-discuss at shrubbery.net
Subject: [rancid] Re: No Password required to read Configs.

Dan,

The OS is Linux.  CentOS.  The Webserver is the Apache that ships with that distribution.  Again, pretty much the default installation. 

Linux-:  2.6.18-128.el5 #1 SMP Wed Jan 21 10:44:23 EST 2009 i686 i686 i386 GNU/Linux
# /usr/sbin/httpd -v
Server version: Apache/2.2.3
Server built:   Jul 14 2009 06:04:04

I have removed cvsweb.cgi and stopped sweating as nobody has access to the system via http right now.  

Some of our admins will need such access however so any further information would be helpful.  Even if it's "Go ask on the foobar list instead."
On Thu, Apr 8, 2010 at 12:43 PM, <Dan_Mitton at ymp.gov> wrote:

Nicky, 

What OS are we talking about?  The easy answer is to remove cvsweb.cgi, but if you don't want to do that, make sure that your web server and rancid processes run with separate user id's and that the two can not read each others files. 

Dan 

Sent by:        rancid-discuss-bounces at shrubbery.net 
To:        rancid-discuss at shrubbery.net 
cc:         (bcc: Dan Mitton/YD/RWDOE) 
Subject:        [rancid]  No Password required to read Configs. 

LSN: Not Relevant - Not Privileged 
User Filed as: Excl/AdminMgmt-14-4/QA:N/A 

Hi All,

We have a Rancid installation on an internal IP.  Everything is pretty much default and only our Cisco devices are managed through Rancid.  I just noticed a truck sized hole in my config however.  

If you enter http://192.168.32.2/cgi-bin/cvsweb.cgi/
   on your browser, you can access the config files for all our devices without a password.


I have limited the IPs which can reach port 80 but that is far from enough.  What must I change to protect this data?  Is there a howto?  Did I miss a section of the installation manual? 
Nicky._______________________________________________
Rancid-discuss mailing list
Rancid-discuss at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

More information about the Rancid-discuss mailing list