/www/conf/httpd.conf

/www/conf/httpd.conf

[Gerald Pfeifer]

I was going to tweak /www/conf/httpd.conf a bit and restart Apache (in
fact, I did so <g>) in the context of Daniel's Bugzilla work, where we
want to redirect old gnatsweb URLs, when I noticed two oddities:

 o httpd.conf is rw-rw-rw, that is word-writeable.

 o There is a /www/conf/RCS directory, but when I obtained httpd.conf
 from there, I noticed that /www/conf/httpd.conf contains a couple of
 changes which are not (yet) in RCS.

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: /www/conf/httpd.conf

[Christopher Faylor]

On Wed, Mar 26, 2003 at 09:38:10PM +0100, Gerald Pfeifer wrote:
>I was going to tweak /www/conf/httpd.conf a bit and restart Apache (in
>fact, I did so <g>) in the context of Daniel's Bugzilla work, where we
>want to redirect old gnatsweb URLs, when I noticed two oddities:
>
> o httpd.conf is rw-rw-rw, that is word-writeable.
>
> o There is a /www/conf/RCS directory, but when I obtained httpd.conf
> from there, I noticed that /www/conf/httpd.conf contains a couple of
> changes which are not (yet) in RCS.

Um, yeah.  I've been working with Daniel on all of this bugzilla stuff,
including making changes to http.conf.  I'm not sure why he was suddenly
asking someone else to make these changes.

Did you really intend to redirect gnatsweb stuff to Daniel Berlin's web
site?

cgf

Re: /www/conf/httpd.conf

[Gerald Pfeifer]

On Wed, 26 Mar 2003, Christopher Faylor wrote:
> Um, yeah.  I've been working with Daniel on all of this bugzilla stuff,
> including making changes to http.conf.  I'm not sure why he was suddenly
> asking someone else to make these changes.

He wasn't actually asking. We were discussing things on the gcc mailing
list, he mentioned that he knew what to do but didn't have access, and I
wasn't aware that you're working on that, so I recalled my Apache-foo and
tried to implement the redirect.

> Did you really intend to redirect gnatsweb stuff to Daniel Berlin's web
> site?

Unfortunately, both the configuration that works on Daniel's box (which
runs Apache 2.0) and the RedirectMatch I came up with failed to work on
gcc.gnu.org. :-(

(http://gcc.gnu.org/ml/gcc/2003-03/msg01519.html is the start of the
sub-thread on that configuration.)

Do you have any idea what I might have missed?  I'm feeling pretty
stupid today.

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: /www/conf/httpd.conf

[Jason Molenda]

On Thu, May 08, 2003 at 10:38:12AM -0400, Christopher Faylor wrote:

> As long as we're all letting the horse out of the barn, I have to say
> that I haven't seen any argument made here which doesn't already apply
> to other parts of sourceware which are already under cvs control.  There
> are plenty of places where checking in a file could compromise security.

I agree - which is why I don't have any problems with the file being
maintained under CVS.  It's under RCS just for historical reasons.


J

Re: /www/conf/httpd.conf

[Christopher Faylor]

On Wed, May 07, 2003 at 11:14:19PM -0700, Jason Molenda wrote:
>On Wed, May 07, 2003 at 05:06:33PM -0400, Christopher Faylor wrote:
>
>> I keep meaning to look into checking httpd.conf into cvs.  There's no
>> real reason why we couldn't just put this in, say,
>> /sourceware/infra/httpd or something and use the standard mechanism
>> for updating it right?
>
>You could compromise the system if you could write to the httpd.conf
>file, so the current scheme where only people with ssh login access
>as root can write it keeps that group small.  Otherwise, no, no
>problems.  I suppose if you've compromised an account with sourceware
>repo write access, you've probably already got login access.  Compromising
>the httpd uid could give you group write perms to all the other 
>groups (granted for cvsweb).
>
>I doubt this would represent our most gregarious security problem--I'm
>just thinking it through aloud.

As long as we're all letting the horse out of the barn, I have to say
that I haven't seen any argument made here which doesn't already apply
to other parts of sourceware which are already under cvs control.  There
are plenty of places where checking in a file could compromise security.

cgf

Re: /www/conf/httpd.conf

[Jason Molenda]

On Wed, May 07, 2003 at 05:06:33PM -0400, Christopher Faylor wrote:

> I keep meaning to look into checking httpd.conf into cvs.  There's no
> real reason why we couldn't just put this in, say,
> /sourceware/infra/httpd or something and use the standard mechanism
> for updating it right?

You could compromise the system if you could write to the httpd.conf
file, so the current scheme where only people with ssh login access
as root can write it keeps that group small.  Otherwise, no, no
problems.  I suppose if you've compromised an account with sourceware
repo write access, you've probably already got login access.  Compromising
the httpd uid could give you group write perms to all the other 
groups (granted for cvsweb).

I doubt this would represent our most gregarious security problem--I'm
just thinking it through aloud.

J

Re: /www/conf/httpd.conf

[Andrew Cagney]

> On Wed, 7 May 2003, Andrew Cagney wrote:
> 
>> Hey!
>>
>> 	http://sources.redhat.com/gdb/bugs/12345
>> or	http://sources.redhat.com/gdb/bugs?12345
>> or	...
>>
>> possible.  Same reason, In fact, I know, given that people know that
>> gdb/bugs is the bugs page, that people even try the first one.
> 
> 
> So, why don't _you_? (Try the first one, that is?)
> 
> :-)

Thankyou!

Andrew

Re: /www/conf/httpd.conf

[Gerald Pfeifer]

On Wed, 7 May 2003, Andrew Cagney wrote:
> Hey!
>
> 	http://sources.redhat.com/gdb/bugs/12345
> or	http://sources.redhat.com/gdb/bugs?12345
> or	...
>
> possible.  Same reason, In fact, I know, given that people know that
> gdb/bugs is the bugs page, that people even try the first one.

So, why don't _you_? (Try the first one, that is?)

:-)

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/

Re: /www/conf/httpd.conf

[Gerald Pfeifer]

On Wed, 7 May 2003, Christopher Faylor wrote:
> I keep meaning to look into checking httpd.conf into cvs.  There's no
> real reason why we couldn't just put this in, say,
> /sourceware/infra/httpd or something and use the standard mechanism
> for updating it right?

Hmm, that'd be the first such update procedure running as root. (Also,
wouldn't this de facto expose root privilege to many more users?)

On Wed, 7 May 2003, Ian Lance Taylor wrote:
> Whoops, sorry.  I looked for a CVS directory or a ,v file, but I
> certainly should have looked for an RCS directory.

No problem.  Being a CVS user most of the time, this allowed me to brush
up my RCS skills again. ;-)

Gerald
-- 
Gerald "Jerry"   pfeifer@dbai.tuwien.ac.at   http://www.pfeifer.com/gerald/

Re: /www/conf/httpd.conf

[Ian Lance Taylor]

Gerald Pfeifer <gerald@pfeifer.com> writes:

> FYI, I committed the following to RCS, which Ian probably missed:
> 
>   RCS file: RCS/httpd.conf,v
>   ----------------------------
>   revision 1.116  locked by: root;
>   date: 2003/05/07 20:58:35;  author: root;  state: Exp;  lines: +23 -1
>   Enter changes by Ian Lance Taylor that added a VirtualHost for
>   ecos.sourceware.org. (Gerald)
> 
> And I'll shortly add a redirection from http://gcc.gnu.org/PR?12345 to
> the corresponding gnatsweb URL (because the former is easier to remember
> and use).

Whoops, sorry.  I looked for a CVS directory or a ,v file, but I
certainly should have looked for an RCS directory.

Ian

Re: /www/conf/httpd.conf

[Andrew Cagney]

> FYI, I committed the following to RCS, which Ian probably missed:
> 
>   RCS file: RCS/httpd.conf,v
>   ----------------------------
>   revision 1.116  locked by: root;
>   date: 2003/05/07 20:58:35;  author: root;  state: Exp;  lines: +23 -1
>   Enter changes by Ian Lance Taylor that added a VirtualHost for
>   ecos.sourceware.org. (Gerald)
> 
> And I'll shortly add a redirection from http://gcc.gnu.org/PR?12345 to
> the corresponding gnatsweb URL (because the former is easier to remember
> and use).

Hey!

	http://sources.redhat.com/gdb/bugs/12345
or	http://sources.redhat.com/gdb/bugs?12345
or	...

possible.  Same reason, In fact, I know, given that people know that 
gdb/bugs is the bugs page, that people even try the first one.

Andrew

Re: /www/conf/httpd.conf

[Christopher Faylor]

On Wed, May 07, 2003 at 11:02:09PM +0200, Gerald Pfeifer wrote:
>FYI, I committed the following to RCS, which Ian probably missed:
>
>  RCS file: RCS/httpd.conf,v
>  ----------------------------
>  revision 1.116  locked by: root;
>  date: 2003/05/07 20:58:35;  author: root;  state: Exp;  lines: +23 -1
>  Enter changes by Ian Lance Taylor that added a VirtualHost for
>  ecos.sourceware.org. (Gerald)
>
>And I'll shortly add a redirection from http://gcc.gnu.org/PR?12345 to
>the corresponding gnatsweb URL (because the former is easier to remember
>and use).

I keep meaning to look into checking httpd.conf into cvs.  There's no
real reason why we couldn't just put this in, say,
/sourceware/infra/httpd or something and use the standard mechanism
for updating it right?

cgf

/www/conf/httpd.conf

[Gerald Pfeifer]

FYI, I committed the following to RCS, which Ian probably missed:

  RCS file: RCS/httpd.conf,v
  ----------------------------
  revision 1.116  locked by: root;
  date: 2003/05/07 20:58:35;  author: root;  state: Exp;  lines: +23 -1
  Enter changes by Ian Lance Taylor that added a VirtualHost for
  ecos.sourceware.org. (Gerald)

And I'll shortly add a redirection from http://gcc.gnu.org/PR?12345 to
the corresponding gnatsweb URL (because the former is easier to remember
and use).

Gerald
-- 
Gerald Pfeifer (Jerry)   gerald@pfeifer.com   http://www.pfeifer.com/gerald/