Directory access on Apache2

Post support questions that directly relate to Linux/Unix operating systems.

Moderators: Moderators, Developers

Post Reply
Author
Message
[vr]
Posts: 13
Joined: Wed Dec 30, 2009 8:40 am
Location: Saginaw, MI

Directory access on Apache2

#1 Post by [vr] » Thu Jan 07, 2010 10:33 am

I'm using the official cacti.net source on Debian Lenny with Apache2. After extracting Cacti into /var/www/cacti-0.8.7e, merging in the plugin-2.5 files and browsing http://mycactihost/cacti-0.8.7e I'm finding I can manually browse these other directories:

/docs
/images
/include
/lib
/resource
/rra
/scripts

I have not found anything in the /docs/html Cacti Manual yet that covers this. Exploring the /include folder; Should admins be concerned about how the accessibility of these directories is left by the official install?

User avatar
TheWitness
Developer
Posts: 14817
Joined: Tue May 14, 2002 5:08 pm
Location: MI, USA
Contact:

#2 Post by TheWitness » Sat Jan 09, 2010 12:41 pm

You need to do three things:

1) create .htaccess files for these directories
2) insure that the apache configuration respects .htacess files
3) restart apache.

You can also perform those restrictions in your Apache configuration file. We have done this for a few customers to prevent directory traversing by any process other than a root directory php script to reduce the potential of exploit's.

However, you have to be more careful with plugins.

TheWitness
True understanding begins only when we realize how little we truly understand...

Life is an adventure, let yours begin with Cacti!

Author of MacTrack, Boost, CLog, SpikeKill, Platform RTM, DSStats, maintainer of Spine, lot's of unpublished work and most of Cacti's bugs.
_________________
Official Cacti Documentation
GitHub Repository with Supported Plugins
Central Plugin Repository
Central Templates Repository


I'm still out there people. Getting excited for Cacti 1.2. I think it will be a great release.

Post Reply