[Secure-testing-team] Bug#561477: [security] must not RE-add /etc/apache2/conf.d/cacti.conf link on upgrade

Teodor mteodor at gmail.com
Thu Dec 17 14:13:36 UTC 2009 

Package: cacti
Version: 0.8.7e-1.1
Severity: grave
Tags: security
Justification: user security hole

I've noticed in the past that cacti RE-adds the symbolic link conf.d/cacti.conf
on every upgrade even if the source file was *manually* removed by the sysadmin.
This is done to restrict the access to 'cacti' on each virtual web site (the
default behaviour in Debian).

The first problem is that it creates access to restricted data (for those that
kept the /etc/cacti/apache.conf configuration file).

The second problem is that 'apache2' fails to start at boot from the same reason
if fails to reload on cacti postinstall:
| Not replacing deleted config file /etc/cacti/apache.conf
| apache2: Syntax error on line 278 of /etc/apache2/apache2.conf: Could not
|   open configuration file /etc/apache2/conf.d/cacti.conf: No such file or
|   directory
| failed!
| invoke-rc.d: initscript apache2, action "reload" failed.

As it can be seen postinstall already has a check for the existence of the config
file /etc/cacti/apache.conf. Please add the same check for creating the symlink.

Thanks

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages cacti depends on:
ii  apache2            2.2.9-10+lenny6       Apache HTTP Server metapackage
ii  apache2-mpm-prefor 2.2.9-10+lenny6       Apache HTTP Server - traditional n
ii  dbconfig-common    1.8.39                common framework for packaging dat
ii  debconf [debconf-2 1.5.24                Debian configuration management sy
ii  libapache2-mod-php 5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  libphp-adodb       5.05-1                The ADOdb database abstraction lay
ii  mysql-client-5.0 [ 5.0.51a-24+lenny2     MySQL database client binaries
ii  php5               5.2.6.dfsg.1-1+lenny4 server-side, HTML-embedded scripti
ii  php5-cli           5.2.6.dfsg.1-1+lenny4 command-line interpreter for the p
ii  php5-mysql         5.2.6.dfsg.1-1+lenny4 MySQL module for php5
ii  php5-snmp          5.2.6.dfsg.1-1+lenny4 SNMP module for php5
ii  rrdtool            1.3.1-4               Time-series data storage and displ
ii  snmp               5.4.1~dfsg-12         SNMP (Simple Network Management Pr
ii  ucf                3.0016                Update Configuration File: preserv

Versions of packages cacti recommends:
ii  iputils-ping           3:20071127-1      Tools to test the reachability of 
ii  logrotate              3.7.1-5           Log rotation utility
ii  mysql-server           5.0.51a-24+lenny2 MySQL database server (metapackage
ii  mysql-server-5.0 [mysq 5.0.51a-24+lenny2 MySQL database server binaries

Versions of packages cacti suggests:
pn  php5-ldap                     <none>     (no description available)

-- debconf information:
  cacti/db/app-user: cacti
  cacti/mysql/admin-user: root
  cacti/upgrade-backup: true
  cacti/install-error: abort
* cacti/webserver: Apache2
  cacti/internal/reconfiguring: false
  cacti/mysql/method: unix socket
  cacti/remote/host:
  cacti/upgrade-error: abort
  cacti/dbconfig-upgrade: true
  cacti/internal/skip-preseed: false
  cacti/remote/newhost:
  cacti/purge: false
  cacti/passwords-do-not-match:
  cacti/dbconfig-remove:
* cacti/dbconfig-install: true
  cacti/missing-db-package-error: abort
  cacti/database-type: mysql
  cacti/remove-error: abort
  cacti/db/dbname: cacti
  cacti/remote/port:
  cacti/dbconfig-reinstall: false

More information about the Secure-testing-team mailing list