[cacti] tweak mod_security rules
Ken Dreyer
ktdreyer at fedoraproject.org
Mon Dec 12 18:45:15 UTC 2011
commit 0132c8f8b09782a02a8bc364ed76a8c9623b07f0
Author: Ken Dreyer <ktdreyer at ktdreyer.com>
Date: Mon Dec 12 11:39:07 2011 -0700
tweak mod_security rules
Unfortunately, when Apache includes conf.d/*, the "c" in cacti.conf
comes before "m" in mod_security.conf. This means we can't use the
IfModule directive here to detect the installation of mod_security.
Remove the IfModule section, and just provide instructions to users.
Users will have to manually un-comment the two mod_security overrides.
(Better than nothing.)
cacti-httpd.conf | 17 +++++++++--------
cacti.README.Fedora | 3 +++
2 files changed, 12 insertions(+), 8 deletions(-)
---
diff --git a/cacti-httpd.conf b/cacti-httpd.conf
index 4d4c26b..e888f31 100644
--- a/cacti-httpd.conf
+++ b/cacti-httpd.conf
@@ -11,14 +11,15 @@ Alias /cacti /usr/share/cacti
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
-
- # mod_security overrides
- <IfModule security2_module>
- # allow POST of application/x-www-form-urlencoded during install
- SecRuleRemoveById 960010
- # permit the specification of the rrdtool paths during install
- SecRuleRemoveById 900011
- </IfModule>
+</Directory>
+
+<Directory /usr/share/cacti/install>
+ # mod_security overrides.
+ # Uncomment these if you use mod_security.
+ # allow POST of application/x-www-form-urlencoded during install
+ #SecRuleRemoveById 960010
+ # permit the specification of the rrdtool paths during install
+ #SecRuleRemoveById 900011
</Directory>
diff --git a/cacti.README.Fedora b/cacti.README.Fedora
index acb284b..2506536 100644
--- a/cacti.README.Fedora
+++ b/cacti.README.Fedora
@@ -8,6 +8,9 @@ For more information about setting up the database please read:
docs/INSTALL
+Cacti's install procedure is not fully compatible with mod_security. If you use
+mod_security, please uncomment the SecRuleRemoveById lines in
+/etc/http/conf.d/cacti.conf.
As of Feb. 6, 2006 Cacti does not work correctly with SELinux. This will
change in the future. If you're having issues getting Cacti to work properly
More information about the scm-commits
mailing list