Hi Helmut,
On Donnerstag, 26. Juli 2012, Helmut Grohne wrote:
> Justification: user security hole
thanks a lot for your ongoing work on Debian security! Much appreciated! :-)
About the issue at hand, I'll see what I can do...
more notes from IRC:
<h01ger> helmut, any idea how to fix?
<helmut> h01ger: that's not easy. as i said "not enabling the config" is no
solution.
<TheSnide> helmut: adding another <Location> does
<helmut> h01ger: maybe the best road would be to move the cgi scripts to some
other place (as to not enable them accidentally)
<h01ger> cgi is the default now and imho a good one :/
<TheSnide> helmut: we need a good oob experience :p
<helmut> h01ger: and the individually map them to a protected Location using
scriptalias.
<helmut> h01ger: /usr/lib/cgi-bin may be a sane default, *if* the scripts
themselves are "secure" which they aren't in some little aspect.
<TheSnide> my take is, upstream (ehem, that is... me) is shipping in
/usr/lib/cgi-bin.
<helmut> well then you will reproduce this issue with munin + $other-webserver
<TheSnide> i don't really care about private munin oob.
<TheSnide> "Allow from localhost" isn't upstream's default. [ and if it is,
well, that has to be fixed :p ]
<h01ger> TheSnide, "oob" = out of the box?
<TheSnide> h01ger: yes, sorry
<TheSnide> i mean, our tgz oob experience is quite poor
<Flameeyes> that's what distros are for
<Flameeyes> *cough* sending patches *cough*
<helmut> h01ger: so do we agree that a stock munin installation on debian
should be restricted to localhost access?
<h01ger> yes
<helmut> h01ger: great. then you have basically two options. a) change all cgi
scripts to do authentication checks themselves b) do not place cgi scripts in
/usr/lib/cgi-bin.
<helmut> h01ger: I see no other options.
<TheSnide> helmut: how do you support other httpd ?
<helmut> TheSnide: they will need a separate config like they did before.
<helmut> TheSnide: thing is, that /usr/lib/cgi-bin may only be used for cgi
scripts that are "secure" oob. and munin's aren't.
<ndonegan> Have a look at how phpmyadmin does it. It gives an option on
install asking if you want to add configuration to apache2 or nginx
<helmut> ndonegan: right this works, because phpmyadmin does not ship files in
standard paths like /usr/lib/cgi-bin.
> This issue is related to #649520.
right, though I do think munin should work out of the box...
cheers,
Holger
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
