Mythweb is installed by default with no security whatsoever to make sure that the person accessing it is actually supposed to be able to alter the Myth settings on the computer. This is a problem if the web server is accessible to the outside world as it logically would be for this application. Reproducible: Always Steps to Reproduce: 1. Emerge mythweb 2. Visit mythweb - no authentication required Actual Results: Able to access and change MythTV settings, including deleting or starting recordings. Expected Results: Prompt for a password to deny access to potentially malicious users. Possibly setup htpasswd authentication during installation, which would require uncommenting the appropriate lines in the mythweb .htaccess file and running htpasswd or htpasswd2 to setup a new user, interactively if possible. At the very least there should be an einfo message at the end of the ebuild to warn people that they are unprotected and possibly even explain how to fix the problem.
unless the server is enabled by default (which it shouldnt) then this is just something that should be tweaked by the package maintainer (if they wish to) rather than be a 'real' security concern
I wasn't sure whether this should go under security or not, so I apologize if it's in the wrong place. However, the package basically requires that the server be active for it to function so I do still see that as a security concern. Maybe the best that can be done is a message telling the user that it's not secure by default - which would just be a package maintainer issue as you said - but _something_ definitely should be done.
Doug please advise.
Isn't this like every other www-apps package? Like PhpMyAdmin? It's just on the web server.... What exactly do you suggest we do to remove this "security" flaw?
Created attachment 63827 [details] Altered to display message explaining how to add authentication to mythweb
I would say it's different because PHPMyAdmin requires authentication in its default configuration, or at least it did for me. The only way around it - sort of - is to leave all the mysql users without passwords, and even then you have to authenticate, just without a password. Plus you'd have to ignore the strong suggestion in the mysql ebuild to set a root password. I think something similar would be appropriate here. I've attached an altered postinstall-en.txt that shows about what I'd like to see at the very least. In a perfect world I'd prefer to see something like this added to the ebuild too: pkg_postinst() { einfo "Please set a password for access to MythWeb" htpasswd2 -c /var/www/localhost/.htpasswd mythweb } I don't know if that's acceptable though. At least a default username and password could be set so the user doesn't have to give any sort of input during install. Not much better than no authentication at all I guess, but it's something. Apache 1.3 users wouldn't have htpasswd2 either, so the example above is too simplistic, but essentially that's my suggestion. I'm afraid I couldn't test it to make sure it worked because in messing around with the ebuild I somehow broke the install so the files didn't end up in web server directory. Probably because I don't understand all the webapp stuff. Anyway, you asked for my suggestion, and there it is.:-)
Doug any news on this one or should I remove security from the bug?
Doug any news on this one?
No because this is a pointless bug. You're required to configure your .htaccess file to make mythweb work. If you configure your web app to work and then leave it on an exposed web server... well that's your fault. There's info in there on how to setup protection. Copy and paste from the top of the file... # I *strongly* urge you to turn on authentication for MythWeb. It is disabled # by default because it requires you to set up your own password file. Please # see the man page for htdigest and then configure the folowing four directives # to suit your authentication needs. # # AuthType Digest # AuthName "MythTV" # AuthDigestFile /var/www/htdigest # Require valid-user If you don't follow instructions... well... stupidity is punishable.
I apologize for continuing to argue this, but I was _not_ required to configure .htaccess to get MythWeb working, nor was there anything to indicate to me that I should look at that file at all, at least until I realized that I needed some sort of authentication and found out about it elsewhere.
(In reply to comment #10) > I apologize for continuing to argue this, but I was _not_ required to configure > .htaccess to get MythWeb working, nor was there anything to indicate to me that > I should look at that file at all, at least until I realized that I needed some > sort of authentication and found out about it elsewhere. > I agree that an einfo would be appropriate here, especially when re-emerging over an existing installation (which resets security). One thing I did to help me out to remember to re-enable security is to add CONFIG_PROTECT="/var/www/localhost/htdocs" to /etc/make.conf (I'm not using vhost) and when I recently updated to mythweb-0.20 it caught the config differences and prompted me to run dispatch-conf (or etc-update).
Doug should this be closed as invalid or fixed?
This looks good to me - Cardoe can we close this? Thanks! from /usr/portage/www-apps/mythweb/files/postinstall-en-0.20.txt: You should modify ${MY_INSTALLDIR}/.htaccess to fit your needs. **************************************************** In order to prevent unauthorized access to your Myth installation, MythWeb has been installed requiring authentication by default but with no valid users. You can add users by using these instructions: Run htpasswd2 as follows to set your username and password. # htpasswd2 -c ${MY_INSTALLDIR}/.htpasswd <username> If you already have an .htpasswd file you'd like to use, copy it to ${MY_INSTALLDIR} *****************************************************
That takes care of my original concern. Thanks to whoever made the change.
I committed that a while back. I was going to try to change some things around to auto add a user with a random password but I never did. If everyone's happy then I'm happy.