[Xymon] Xymon and apache 2.4.35 security problem

LOZOVSKY, DANIEL L dl1025 at att.com
Thu Oct 18 22:11:03 CEST 2018


I recently upgraded to apache 2.4.35 and was having some issues with password file to secure xymon-seccgi.  I got not get apache to read the password file.  To get it to work I had to change from Require all granted to Require all denied.   Now, it works.  I get prompted to enter username and password.

Here is the section from my httpd.conf file for your reference if you will run into similar problems.

ScriptAlias /xymon-seccgi/ "/opt/app/workload/bbapp/bb/cgi-secure/"
<Directory "/opt/app/workload/bbapp/bb/cgi-secure">
    AllowOverride None
    Options ExecCGI Includes
    <IfModule mod_authz_core.c>
        # Apache 2.4+
        Require all denied
    </IfModule>
    <IfModule !mod_authz_core.c>
        Order deny,allow
        Allow from all
    </IfModule>

    # Password file where users with access to these scripts are kept.
    # Although expected in $XYMONHOME/etc/ by the useradm and chpasswd
    # scripts, files here can be read with the "config" message type,
    # which allows status-privileged clients to read arbitrary regular files
    # from the directory.
    #
    # This file should be owned and readable only by the apache server user,
    # and ideally merely a symlink to a location outside of $XYMONHOME/etc/
    #
    # Create it with:
    #         htpasswd -c /opt/app/workload/bbapp/bb/server/etc/xymonpasswd USERNAME
    #         chown apache:apache /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
    #         chmod 640 /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
    # Add more users / change passwords with: "htpasswd /opt/app/workload/bbapp/bb/server/etc/xymonpasswd USERNAME"
    #
    # You can also use a group file to restrict admin access to members of a
    # group, instead of anyone who is logged in. In that case you must setup
    # the "xymongroups" file, and change the "Require" settings to require
    # a specific group membership. See the Apache docs for more details.

    AuthUserFile /opt/app/workload/bbapp/bb/server/etc/xymonpasswd
    AuthGroupFile /opt/app/workload/bbapp/bb/server/etc/xymongroups
    AuthType Basic
    AuthName "Xymon Administration"

    # "valid-user" restricts access to anyone who is logged in.
        Require valid-user

    # "group admins" restricts access to users who have logged in, AND
    # are members of the "admins" group in xymongroups.
    # Require group admins

</Directory>


I also enabled the following modules.
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20181018/e54e36db/attachment.html>


More information about the Xymon mailing list