/* ** Copyright (c) 2017 D. Richard Hipp ** ** This program is free software; you can redistribute it and/or ** modify it under the terms of the Simplified BSD License (also ** known as the "2-Clause License" or "FreeBSD License".) ** This program is distributed in the hope that it will be useful, ** but without any warranty; without even the implied warranty of ** merchantability or fitness for a particular purpose. ** ** Author contact information: ** drh@hwaci.com ** http://www.hwaci.com/drh/ ** ******************************************************************************* ** ** This file implements various web pages use for running a security audit ** of a Fossil configuration. */ #include "config.h" #include #include "security_audit.h" /* ** Return TRUE if any of the capability letters in zTest are found ** in the capability string zCap. */ static int hasAnyCap(const char *zCap, const char *zTest){ while( zTest[0] ){ if( strchr(zCap, zTest[0]) ) return 1; zTest++; } return 0; } /* ** WEBPAGE: secaudit0 ** ** Run a security audit of the current Fossil setup. ** This page requires administrator access */ void secaudit0_page(void){ const char *zAnonCap; /* Capabilities of user "anonymous" and "nobody" */ const char *zPubPages; /* GLOB pattern for public pages */ const char *zSelfCap; /* Capabilities of self-registered users */ char *z; int n; login_check_credentials(); if( !g.perm.Admin ){ login_needed(0); return; } style_header("Security Audit"); @
    /* Step 1: Determine if the repository is public or private. "Public" ** means that any anonymous user on the internet can access all content. ** "Private" repos require (non-anonymous) login to access all content, ** though some content may be accessible anonymously. */ zAnonCap = db_text("", "SELECT fullcap(NULL)"); zPubPages = db_get("public-pages",0); if( db_get_boolean("self-register",0) ){ CapabilityString *pCap; pCap = capability_add(0, db_get("default-perms","")); capability_expand(pCap); zSelfCap = capability_string(pCap); capability_free(pCap); }else{ zSelfCap = fossil_strdup(""); } if( hasAnyCap(zAnonCap,"as") ){ @

  1. This repository is Wildly INSECURE because @ it grants administrator privileges to anonymous users. You @ should take this repository private @ immediately! Or, at least remove the Setup and Admin privileges @ for users "anonymous" and "login" on the @ User Configuration page. }else if( hasAnyCap(zSelfCap,"as") ){ @

  2. This repository is Wildly INSECURE because @ it grants administrator privileges to self-registered users. You @ should take this repository private @ and/or disable self-registration @ immediately! Or, at least remove the Setup and Admin privileges @ from the default permissions for new users. }else if( hasAnyCap(zAnonCap,"y") ){ @

  3. This repository is INSECURE because @ it allows anonymous users to push unversioned files. @

    Fix this by taking the repository private @ or by removing the "y" permission from users "anonymous" and @ "nobody" on the User Configuration page. }else if( hasAnyCap(zSelfCap,"y") ){ @

  4. This repository is INSECURE because @ it allows self-registered users to push unversioned files. @

    Fix this by taking the repository private @ or by removing the "y" permission from the default permissions or @ by disabling self-registration. }else if( hasAnyCap(zAnonCap,"goz") ){ @

  5. This repository is PUBLIC. All @ checked-in content can be accessed by anonymous users. @ Take it private.

    }else if( hasAnyCap(zSelfCap,"goz") ){ @

  6. This repository is PUBLIC because all @ checked-in content can be accessed by self-registered users. @ This repostory would be private if you disabled self-registration.

    }else if( !hasAnyCap(zAnonCap, "jrwy234567") && !hasAnyCap(zSelfCap, "jrwy234567") && (zPubPages==0 || zPubPages[0]==0) ){ @

  7. This repository is Completely PRIVATE. @ A valid login and password is required to access any content. }else{ @

  8. This repository is Mostly PRIVATE. @ A valid login and password is usually required, however some @ content can be accessed either anonymously or by self-registered @ users: @

      if( hasAnyCap(zAnonCap,"j") || hasAnyCap(zSelfCap,"j") ){ @
    • Wiki pages } if( hasAnyCap(zAnonCap,"r") || hasAnyCap(zSelfCap,"r") ){ @
    • Tickets } if( hasAnyCap(zAnonCap,"234567") || hasAnyCap(zSelfCap,"234567") ){ @
    • Forum posts } if( zPubPages && zPubPages[0] ){ Glob *pGlob = glob_create(zPubPages); int i; @
    • URLs that match any of these GLOB patterns: @
        for(i=0; inPattern; i++){ @
      • %h(pGlob->azPattern[i]) } @
      } @
    if( zPubPages && zPubPages[0] ){ @

    Change GLOB patterns exceptions using the "Public pages" setting @ on the Access Settings page.

    } } /* Make sure the HTTPS is required for login, at least, so that the ** password does not go across the Internet in the clear. */ if( db_get_int("redirect-to-https",0)==0 ){ @

  9. WARNING: @ Sensitive material such as login passwords can be sent over an @ unencrypted connection. @

    Fix this by changing the "Redirect to HTTPS" setting on the @ Access Control page. If you were using @ the old "Redirect to HTTPS on Login Page" setting, switch to the @ new setting: it has a more secure implementation. } /* Anonymous users should not be able to harvest email addresses ** from tickets. */ if( hasAnyCap(zAnonCap, "e") ){ @

  10. WARNING: @ Anonymous users can view email addresses and other personally @ identifiable information on tickets. @

    Fix this by removing the "Email" privilege @ (capability "e") from users @ "anonymous" and "nobody" on the @ User Configuration page. } /* Anonymous users probably should not be allowed to push content ** to the repository. */ if( hasAnyCap(zAnonCap, "i") ){ @

  11. WARNING: @ Anonymous users can push new check-ins into the repository. @

    Fix this by removing the "Check-in" privilege @ (capability "i") from users @ "anonymous" and "nobody" on the @ User Configuration page. } /* Anonymous users probably should not be allowed act as moderators ** for wiki or tickets. */ if( hasAnyCap(zAnonCap, "lq5") ){ @

  12. WARNING: @ Anonymous users can act as moderators for wiki, tickets, or @ forum posts. This defeats the whole purpose of moderation. @

    Fix this by removing the "Mod-Wiki", "Mod-Tkt", and "Mod-Forum" @ privileges (capabilities "fq5") @ from users "anonymous" and "nobody" @ on the User Configuration page. } /* Anonymous users probably should not be allowed to delete ** wiki or tickets. */ if( hasAnyCap(zAnonCap, "d") ){ @

  13. WARNING: @ Anonymous users can delete wiki and tickets. @

    Fix this by removing the "Delete" @ privilege from users "anonymous" and "nobody" on the @ User Configuration page. } /* If anonymous users are allowed to create new Wiki, then ** wiki moderation should be activated to pervent spam. */ if( hasAnyCap(zAnonCap, "fk") ){ if( db_get_boolean("modreq-wiki",0)==0 ){ @

  14. WARNING: @ Anonymous users can create or edit wiki without moderation. @ This can result in robots inserting lots of wiki spam into @ repository. @ Fix this by removing the "New-Wiki" and "Write-Wiki" @ privileges from users "anonymous" and "nobody" on the @ User Configuration page or @ by enabling wiki moderation on the @ Moderation Setup page. }else{ @

  15. @ Anonymous users can create or edit wiki, but moderator @ approval is required before the edits become permanent. } } /* Anonymous users should not be able to create trusted forum ** posts. */ if( hasAnyCap(zAnonCap, "456") ){ @

  16. WARNING: @ Anonymous users can create forum posts that are @ accepted into the permanent record without moderation. @ This can result in robots generating spam on forum posts. @ Fix this by removing the "WriteTrusted-Forum" privilege @ (capabilities "456") from @ users "anonymous" and "nobody" on the @ User Configuration page or } /* Anonymous users should not be able to send announcements. */ if( hasAnyCap(zAnonCap, "A") ){ @

  17. WARNING: @ Anonymous users can send announcements to anybody who is signed @ up to receive announcements. This can result in spam. @ Fix this by removing the "Announce" privilege @ (capability "A") from @ users "anonymous" and "nobody" on the @ User Configuration page or } /* Administrative privilege should only be provided to ** specific individuals, not to entire classes of people. ** And not too many people should have administrator privilege. */ z = db_text(0, "SELECT group_concat(" "printf('%%s',uid,login)," "' and ')" " FROM user" " WHERE cap GLOB '*[as]*'" " AND login in ('anonymous','nobody','reader','developer')" ); if( z && z[0] ){ @

  18. WARNING: @ Administrative privilege ('a' or 's') @ is granted to an entire class of users: %s(z). @ Administrative privilege should only be @ granted to specific individuals. } n = db_int(0,"SELECT count(*) FROM user WHERE fullcap(cap) GLOB '*[as]*'"); if( n==0 ){ @

  19. @ No users have administrator privilege. }else{ z = db_text(0, "SELECT group_concat(" "printf('%%s',uid,login)," "', ')" " FROM user" " WHERE fullcap(cap) GLOB '*[as]*'" ); @

  20. @ Users with administrator privilege are: %s(z) fossil_free(z); if( n>3 ){ @

  21. WARNING: @ Administrator privilege is granted to @ %d(n) users. @ Ideally, administrator privilege ('s' or 'a') should only @ be granted to one or two users. } } /* The push-unversioned privilege should only be provided to ** specific individuals, not to entire classes of people. ** And no too many people should have this privilege. */ z = db_text(0, "SELECT group_concat(" "printf('%%s',uid,login)," "' and ')" " FROM user" " WHERE cap GLOB '*y*'" " AND login in ('anonymous','nobody','reader','developer')" ); if( z && z[0] ){ @

  22. WARNING: @ The "Write-Unver" privilege is granted to an entire class of users: %s(z). @ The Write-Unver privilege should only be granted to specific individuals. fossil_free(z); } n = db_int(0,"SELECT count(*) FROM user WHERE cap GLOB '*y*'"); if( n>0 ){ z = db_text(0, "SELECT group_concat(" "printf('%%s',uid,login),', ')" " FROM user WHERE fullcap(cap) GLOB '*y*'" ); @

  23. @ Users with "Write-Unver" privilege: %s(z) fossil_free(z); if( n>3 ){ @

    Caution: @ The "Write-Unver" privilege ('y') is granted to an excessive @ number of users (%d(n)). @ Ideally, the Write-Unver privilege should only @ be granted to one or two users. } } /* Notify if REMOTE_USER or HTTP_AUTHENTICATION is used for login. */ if( db_get_boolean("remote_user_ok", 0) ){ @

  24. @ This repository trusts that the REMOTE_USER environment variable set @ up by the webserver contains the name of an authenticated user. @ Fossil's built-in authentication mechanism is bypassed. @

    Fix this by deactivating the "Allow REMOTE_USER authentication" @ checkbox on the Access Control page. } if( db_get_boolean("http_authentication_ok", 0) ){ @

  25. @ This repository trusts that the HTTP_AUTHENITICATION environment @ variable set up by the webserver contains the name of an @ authenticated user. @ Fossil's built-in authentication mechanism is bypassed. @

    Fix this by deactivating the "Allow HTTP_AUTHENTICATION authentication" @ checkbox on the Access Control page. } /* Logging should be turned on */ if( db_get_boolean("access-log",0)==0 ){ @

  26. @ The User Log is disabled. The user log @ keeps a record of successful and unsucessful login attempts and is @ useful for security monitoring. } if( db_get_boolean("admin-log",0)==0 ){ @

  27. @ The Administrative Log is disabled. @ The administrative log provides a record of configuration changes @ and is useful for security monitoring. } #if !defined(_WIN32) && !defined(FOSSIL_OMIT_LOAD_AVERAGE) /* Make sure that the load-average limiter is armed and working */ if( load_average()==0.0 ){ @

  28. @ Unable to get the system load average. This can prevent Fossil @ from throttling expensive operations during peak demand. @

    If running in a chroot jail on Linux, verify that the /proc @ filesystem is mounted within the jail, so that the load average @ can be obtained from the /proc/loadavg file. }else { double r = atof(db_get("max-loadavg", "0")); if( r<=0.0 ){ @

  29. @ Load average limiting is turned off. This can cause the server @ to bog down if many requests for expensive services (such as @ large diffs or tarballs) arrive at about the same time. @

    To fix this, set the "Server Load Average Limit" on the @ Access Control page to approximately @ the number of available cores on your server, or maybe just a little @ less. }else if( r>=8.0 ){ @

  30. @ The "Server Load Average Limit" on the @ Access Control page is set to %g(r), @ which seems high. Is this server really a %d((int)r)-core machine? } } #endif if( g.zErrlog==0 || fossil_strcmp(g.zErrlog,"-")==0 ){ @

  31. @ The server error log is disabled. @ To set up an error log: @

      @
    • If running from CGI, make an entry "errorlog: FILENAME" @ in the CGI script. @
    • If running the "fossil server" or "fossil http" commands, @ add the "--errorlog FILENAME" command-line option. @
    }else{ FILE *pTest = fossil_fopen(g.zErrlog,"a"); if( pTest==0 ){ @

  32. @ Error: @ There is an error log at "%h(g.zErrlog)" but that file is not @ writable and so no logging will occur. }else{ fclose(pTest); @

  33. @ The error log at "%h(g.zErrlog)" that is @ %,lld(file_size(g.zErrlog, ExtFILE)) bytes in size. } } @

  34. User capability summary: capability_summary(); if( alert_enabled() ){ @

  35. Email alert configuration summary: @ stats_for_email(); @
    }else{ @

  36. Email alerts are disabled } @

style_footer(); } /* ** WEBPAGE: takeitprivate ** ** Disable anonymous access to this website */ void takeitprivate_page(void){ login_check_credentials(); if( !g.perm.Admin ){ login_needed(0); return; } if( P("cancel") ){ /* User pressed the cancel button. Go back */ cgi_redirect("secaudit0"); } if( P("apply") ){ db_multi_exec( "UPDATE user SET cap=''" " WHERE login IN ('nobody','anonymous');" "DELETE FROM config WHERE name='public-pages';" ); db_set("self-register","0",0); cgi_redirect("secaudit0"); } style_header("Make This Website Private"); @

Click the "Make It Private" button below to disable all @ anonymous access to this repository. A valid login and password @ will be required to access this repository after clicking that @ button.

@ @

Click the "Cancel" button to leave things as they are.

@ @
@ @ @
style_footer(); } /* ** The maximum number of bytes of log to show */ #define MXSHOWLOG 50000 /* ** WEBPAGE: errorlog ** ** Show the content of the error log. Only the administrator can view ** this page. */ void errorlog_page(void){ i64 szFile; FILE *in; char z[10000]; login_check_credentials(); if( !g.perm.Admin ){ login_needed(0); return; } style_header("Server Error Log"); style_submenu_element("Test", "%R/test-warning"); style_submenu_element("Refresh", "%R/errorlog"); if( g.zErrlog==0 || fossil_strcmp(g.zErrlog,"-")==0 ){ @

To create a server error log: @

    @

  1. @ If the server is running as CGI, then create a line in the CGI file @ like this: @ 

        @ errorlog: FILENAME
    @
    @

  2. @ If the server is running using one of @ the "fossil http" or "fossil server" commands then add @ a command-line option "--errorlog FILENAME" to that @ command. @

style_footer(); return; } if( P("truncate1") && cgi_csrf_safe(1) ){ fclose(fopen(g.zErrlog,"w")); } if( P("download") ){ Blob log; blob_read_from_file(&log, g.zErrlog, ExtFILE); cgi_set_content_type("text/plain"); cgi_set_content(&log); return; } szFile = file_size(g.zErrlog, ExtFILE); if( P("truncate") ){ @
@

Confirm that you want to truncate the %,lld(szFile)-byte error log: @ @ @

style_footer(); return; } @

The server error log at "%h(g.zErrlog)" is %,lld(szFile) bytes in size. style_submenu_element("Download", "%R/errorlog?download"); style_submenu_element("Truncate", "%R/errorlog?truncate"); in = fossil_fopen(g.zErrlog, "rb"); if( in==0 ){ @

Unable top open that file for reading!

style_footer(); return; } if( szFile>MXSHOWLOG && P("all")==0 ){ @
@

Only the last %,d(MXSHOWLOG) bytes are shown. @ @

fseek(in, -MXSHOWLOG, SEEK_END); } @
@ 
  while( fgets(z, sizeof(z), in) ){
    @ %h(z)\
  }
  fclose(in);
  @
style_footer(); }