[Xymon] Xymon and apache 2.4.35 security problem

Marco Avvisano marco.avvisano at regione.toscana.it
Wed Oct 9 12:42:27 CEST 2019


Solved using this conf :

----------

ScriptAlias /xymon-seccgi/ "/usr/local/xymon/cgi-secure/"
<Directory "/usr/local/xymon/cgi-secure">
     AllowOverride None
     Options ExecCGI Includes FollowSymLinks

     AuthUserFile /usr/local/xymon/server/etc/xymonpasswd
     AuthGroupFile /usr/loca/xymon/server/etc/xymongroups
     AuthType Basic
     AuthName "Xymon Administration"

  <RequireAll>
     # "valid-user" restricts access to anyone who is logged in.
     Require valid-user

     # "group admins" restricts access to users who have logged in, AND
     # are members of the "admins" group in xymongroups.
     Require group admins
   </RequireAll>
</Directory>

-------

Best Regards
Marco

Il 04/10/2019 11.30, Marco Avvisano ha scritto:
>
> Hi,
>
> i also recently upgraded to Apache/2.4.41 and xymon 4.30 and i had the 
> same problem.
>
> I had to change from "Require all granted" to "Require all denied" to 
> block access to  /xymon-seccgi,  but login not work for me
>
> Here the section from ssl.conf :
>
> ScriptAlias /xymon-seccgi/ "/usr/local/xymon/cgi-secure/"
> <Directory "/usr/local/xymon/cgi-secure">
>     AllowOverride None
>     Options ExecCGI Includes FollowSymLinks
>    <IfModule mod_authz_core.c>
>         # Apache 2.4+
>        Require all denied
>    </IfModule>
>     <IfModule !mod_authz_core.c>
>        Order deny,allow
>        Allow from all
>    </IfModule>
>
>     # Password file where users with access to these scripts are kept.
>     # Create it with "htpasswd -c 
> /usr/local/xymon/server/etc/xymonpasswd USERNAME"
>     # Add more users / change passwords with "htpasswd 
> /usr/local/xymon/server/etc/xymonpasswd USERNAME"
>     #
>     # You can also use a group file to restrict admin access to 
> members of a
>     # group, instead of anyone who is logged in. In that case you must 
> setup
>     # the "xymongroups" file, and change the "Require" settings to require
>     # a specific group membership. See the Apache docs for more details.
>
>     AuthUserFile /usr/local/xymon/server/etc/xymonpasswd
>     AuthGroupFile /usr/loca/xymon/server/etc/xymongroups
>     AuthType Basic
>     AuthName "Xymon Administration"
>
>     # "valid-user" restricts access to anyone who is logged in.
>     Require valid-user
>
>     # "group admins" restricts access to users who have logged in, AND
>     # are members of the "admins" group in xymongroups.
>     #  Require group admins
>
> </Directory>
>
> Any Ideas ?
>
> Best Regards,
>
> Marco
>
>
> Il 18/10/2018 22.11, LOZOVSKY, DANIEL L ha scritto:
>>
>> I recently upgraded to apache 2.4.35 and was having some issues with 
>> password file to secure xymon-seccgi.  I got not get apache to read 
>> the password file.  To get it to work I had to change from Require 
>> all granted to Require all denied.   Now, it works.  I get prompted 
>> to enter username and password.
>>
>> Here is the section from my httpd.conf file for your reference if you 
>> will run into similar problems.
>>
>> ScriptAlias /xymon-seccgi/ "/opt/app/workload/bbapp/bb/cgi-secure/"
>>
>> <Directory "/opt/app/workload/bbapp/bb/cgi-secure">
>>
>>     AllowOverride None
>>
>>     Options ExecCGI Includes
>>
>>     <IfModule mod_authz_core.c>
>>
>>         # Apache 2.4+
>>
>> *Require all denied*
>>
>>     </IfModule>
>>
>>     <IfModule !mod_authz_core.c>
>>
>>         Order deny,allow
>>
>>         Allow from all
>>
>>     </IfModule>
>>
>>     # Password file where users with access to these scripts are kept.
>>
>>     # Although expected in $XYMONHOME/etc/ by the useradm and chpasswd
>>
>>     # scripts, files here can be read with the "config" message type,
>>
>>     # which allows status-privileged clients to read arbitrary 
>> regular files
>>
>>     # from the directory.
>>
>>     #
>>
>>     # This file should be owned and readable only by the apache 
>> server user,
>>
>>     # and ideally merely a symlink to a location outside of 
>> $XYMONHOME/etc/
>>
>>     #
>>
>>     # Create it with:
>>
>>     #         htpasswd -c 
>> /opt/app/workload/bbapp/bb/server/etc/xymonpasswd USERNAME
>>
>>     #         chown apache:apache 
>> /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
>>
>>     #         chmod 640 /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
>>
>>     # Add more users / change passwords with: "htpasswd 
>> /opt/app/workload/bbapp/bb/server/etc/xymonpasswd USERNAME"
>>
>>     #
>>
>>     # You can also use a group file to restrict admin access to 
>> members of a
>>
>>     # group, instead of anyone who is logged in. In that case you 
>> must setup
>>
>>     # the "xymongroups" file, and change the "Require" settings to 
>> require
>>
>>     # a specific group membership. See the Apache docs for more details.
>>
>>     AuthUserFile /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
>>
>>     AuthGroupFile /opt/app/workload/bbapp/bb/server/etc/xymongroups
>>
>>     AuthType Basic
>>
>>     AuthName "Xymon Administration"
>>
>>     # "valid-user" restricts access to anyone who is logged in.
>>
>>         Require valid-user
>>
>>     # "group admins" restricts access to users who have logged in, AND
>>
>>     # are members of the "admins" group in xymongroups.
>>
>>     # Require group admins
>>
>> </Directory>
>>
>> I also enabled the following modules.
>>
>> LoadModule authn_file_module modules/mod_authn_file.so
>>
>> LoadModule authn_dbm_module modules/mod_authn_dbm.so
>>
>> LoadModule authn_anon_module modules/mod_authn_anon.so
>>
>> LoadModule authn_core_module modules/mod_authn_core.so
>>
>> LoadModule authz_host_module modules/mod_authz_host.so
>>
>> LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
>>
>> LoadModule authz_user_module modules/mod_authz_user.so
>>
>> LoadModule authz_core_module modules/mod_authz_core.so
>>
>> LoadModule access_compat_module modules/mod_access_compat.so
>>
>> LoadModule auth_basic_module modules/mod_auth_basic.so
>>
>> LoadModule reqtimeout_module modules/mod_reqtimeout.so
>>
>> LoadModule filter_module modules/mod_filter.so
>>
>> LoadModule mime_module modules/mod_mime.so
>>
>> LoadModule log_config_module modules/mod_log_config.so
>>
>> LoadModule env_module modules/mod_env.so
>>
>> LoadModule headers_module modules/mod_headers.so
>>
>> LoadModule setenvif_module modules/mod_setenvif.so
>>
>> LoadModule version_module modules/mod_version.so
>>
>> LoadModule unixd_module modules/mod_unixd.so
>>
>> LoadModule status_module modules/mod_status.so
>>
>> LoadModule autoindex_module modules/mod_autoindex.so
>>
>> LoadModule cgid_module modules/mod_cgid.so
>>
>> LoadModule dir_module modules/mod_dir.so
>>
>> LoadModule alias_module modules/mod_alias.so
>>
>> LoadModule rewrite_module modules/mod_rewrite.so
>>
>>
>>
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>
>
>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20191009/0c0f1c1f/attachment.htm>


More information about the Xymon mailing list