Re: [ubuntu-mythtv] New install of .26 mythweb appears insecure with web access to DB username and password.
It looks to be a mythexport thing. I've asked the dev to look at it. Thanks, Thomas Mashos On Sun, May 5, 2013 at 1:18 PM, Chuck Peters wrote: > > I should also not when I enter the URL http://io/.mythtv/config.xml it > returns Forbidden You don't have permission to access /.mythtv/config.xml > on this server. > > So it wasn't as bad as I first thought, but I'm sure it could be done > better. > > Thanks, > Chuck > > > On Sun, May 5, 2013 at 3:33 PM, Chuck Peters wrote: > >> >> In /etc/apache2/sites-available/mythexport.conf it has: >> >> >> I suppose I should file a bug report... >> >> I'm starting to wonder if it might be easier to change the default web >> root to something else... Or maybe I should starting using kvm for any >> publicly available web stuff. >> >> Note to self, make sure the firewall blocks apache when I enable the IPv6 >> subnet! >> >> Thanks, >> Chuck >> >> >> On Sun, May 5, 2013 at 2:38 PM, Thomas Mashos wrote: >> >>> I don't have that on my 0.26 install. I wonder if that is something >>> mythexport does. >>> >>> >>> thomas@ares:~$ ls -la /var/www/ >>> total 12 >>> drwxr-xr-x 2 root root 4096 Feb 13 15:16 . >>> drwxr-xr-x 13 root root 4096 Apr 25 19:08 .. >>> -rw-r--r-- 1 root root 177 Feb 13 15:16 index.html >>> lrwxrwxrwx 1 root root 25 Feb 22 13:06 mythweb -> >>> /usr/share/mythtv/mythweb >>> >>> >>> Thanks, >>> >>> Thomas Mashos >>> >>> >>> On Sun, May 5, 2013 at 11:24 AM, Chuck Peters wrote: >>> This seems unwise... Why do we have a symlink to the db username and password in the web root? root@io:~# ls -la /var/www/ total 16 drwxr-xr-x 3 root root 4096 May 5 02:55 . drwxr-xr-x 14 root root 4096 May 5 04:07 .. -rw-r--r-- 1 root root 177 May 5 00:42 index.html lrwxrwxrwx 1 root root 28 May 5 02:55 mythexport -> /usr/share/mythtv/mythexport drwxr-xr-x 2 root root 4096 May 5 02:55 .mythtv lrwxrwxrwx 1 root root 25 May 4 21:34 mythweb -> /usr/share/mythtv/mythweb root@io:~# ls -l /var/www/.mythtv/ lrwxrwxrwx 1 root root 22 May 5 02:55 config.xml -> /etc/mythtv/config.xml root@io:~# ls -l /etc/mythtv/config.xml -rw-rw 1 www-data mythtv 452 May 5 05:21 /etc/mythtv/config.xml Although this is a new install, I was changing out the OS disk for the MythTV master backend and restored our very large DB. Thanks, Chuck -- Ubuntu-mythtv mailing list Ubuntu-mythtv@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv >>> >>> -- >>> Ubuntu-mythtv mailing list >>> Ubuntu-mythtv@lists.ubuntu.com >>> Modify settings or unsubscribe at: >>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv >>> >>> >> > > -- > Ubuntu-mythtv mailing list > Ubuntu-mythtv@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv > > -- Ubuntu-mythtv mailing list Ubuntu-mythtv@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv
Re: [ubuntu-mythtv] New install of .26 mythweb appears insecure with web access to DB username and password.
I should also not when I enter the URL http://io/.mythtv/config.xml it returns Forbidden You don't have permission to access /.mythtv/config.xml on this server. So it wasn't as bad as I first thought, but I'm sure it could be done better. Thanks, Chuck On Sun, May 5, 2013 at 3:33 PM, Chuck Peters wrote: > > In /etc/apache2/sites-available/mythexport.conf it has: > > > I suppose I should file a bug report... > > I'm starting to wonder if it might be easier to change the default web > root to something else... Or maybe I should starting using kvm for any > publicly available web stuff. > > Note to self, make sure the firewall blocks apache when I enable the IPv6 > subnet! > > Thanks, > Chuck > > > On Sun, May 5, 2013 at 2:38 PM, Thomas Mashos wrote: > >> I don't have that on my 0.26 install. I wonder if that is something >> mythexport does. >> >> >> thomas@ares:~$ ls -la /var/www/ >> total 12 >> drwxr-xr-x 2 root root 4096 Feb 13 15:16 . >> drwxr-xr-x 13 root root 4096 Apr 25 19:08 .. >> -rw-r--r-- 1 root root 177 Feb 13 15:16 index.html >> lrwxrwxrwx 1 root root 25 Feb 22 13:06 mythweb -> >> /usr/share/mythtv/mythweb >> >> >> Thanks, >> >> Thomas Mashos >> >> >> On Sun, May 5, 2013 at 11:24 AM, Chuck Peters wrote: >> >>> >>> This seems unwise... >>> Why do we have a symlink to the db username and password in the web root? >>> >>> root@io:~# ls -la /var/www/ >>> total 16 >>> drwxr-xr-x 3 root root 4096 May 5 02:55 . >>> drwxr-xr-x 14 root root 4096 May 5 04:07 .. >>> -rw-r--r-- 1 root root 177 May 5 00:42 index.html >>> lrwxrwxrwx 1 root root 28 May 5 02:55 mythexport -> >>> /usr/share/mythtv/mythexport >>> drwxr-xr-x 2 root root 4096 May 5 02:55 .mythtv >>> lrwxrwxrwx 1 root root 25 May 4 21:34 mythweb -> >>> /usr/share/mythtv/mythweb >>> root@io:~# ls -l /var/www/.mythtv/ >>> lrwxrwxrwx 1 root root 22 May 5 02:55 config.xml -> >>> /etc/mythtv/config.xml >>> root@io:~# ls -l /etc/mythtv/config.xml >>> -rw-rw 1 www-data mythtv 452 May 5 05:21 /etc/mythtv/config.xml >>> >>> >>> Although this is a new install, I was changing out the OS disk for the >>> MythTV master backend and restored our very large DB. >>> >>> >>> Thanks, >>> Chuck >>> >>> -- >>> Ubuntu-mythtv mailing list >>> Ubuntu-mythtv@lists.ubuntu.com >>> Modify settings or unsubscribe at: >>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv >>> >>> >> >> -- >> Ubuntu-mythtv mailing list >> Ubuntu-mythtv@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv >> >> > -- Ubuntu-mythtv mailing list Ubuntu-mythtv@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv
Re: [ubuntu-mythtv] New install of .26 mythweb appears insecure with web access to DB username and password.
In /etc/apache2/sites-available/mythexport.conf it has: I suppose I should file a bug report... I'm starting to wonder if it might be easier to change the default web root to something else... Or maybe I should starting using kvm for any publicly available web stuff. Note to self, make sure the firewall blocks apache when I enable the IPv6 subnet! Thanks, Chuck On Sun, May 5, 2013 at 2:38 PM, Thomas Mashos wrote: > I don't have that on my 0.26 install. I wonder if that is something > mythexport does. > > > thomas@ares:~$ ls -la /var/www/ > total 12 > drwxr-xr-x 2 root root 4096 Feb 13 15:16 . > drwxr-xr-x 13 root root 4096 Apr 25 19:08 .. > -rw-r--r-- 1 root root 177 Feb 13 15:16 index.html > lrwxrwxrwx 1 root root 25 Feb 22 13:06 mythweb -> > /usr/share/mythtv/mythweb > > > Thanks, > > Thomas Mashos > > > On Sun, May 5, 2013 at 11:24 AM, Chuck Peters wrote: > >> >> This seems unwise... >> Why do we have a symlink to the db username and password in the web root? >> >> root@io:~# ls -la /var/www/ >> total 16 >> drwxr-xr-x 3 root root 4096 May 5 02:55 . >> drwxr-xr-x 14 root root 4096 May 5 04:07 .. >> -rw-r--r-- 1 root root 177 May 5 00:42 index.html >> lrwxrwxrwx 1 root root 28 May 5 02:55 mythexport -> >> /usr/share/mythtv/mythexport >> drwxr-xr-x 2 root root 4096 May 5 02:55 .mythtv >> lrwxrwxrwx 1 root root 25 May 4 21:34 mythweb -> >> /usr/share/mythtv/mythweb >> root@io:~# ls -l /var/www/.mythtv/ >> lrwxrwxrwx 1 root root 22 May 5 02:55 config.xml -> >> /etc/mythtv/config.xml >> root@io:~# ls -l /etc/mythtv/config.xml >> -rw-rw 1 www-data mythtv 452 May 5 05:21 /etc/mythtv/config.xml >> >> >> Although this is a new install, I was changing out the OS disk for the >> MythTV master backend and restored our very large DB. >> >> >> Thanks, >> Chuck >> >> -- >> Ubuntu-mythtv mailing list >> Ubuntu-mythtv@lists.ubuntu.com >> Modify settings or unsubscribe at: >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv >> >> > > -- > Ubuntu-mythtv mailing list > Ubuntu-mythtv@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv > > -- Ubuntu-mythtv mailing list Ubuntu-mythtv@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv
Re: [ubuntu-mythtv] New install of .26 mythweb appears insecure with web access to DB username and password.
I don't have that on my 0.26 install. I wonder if that is something mythexport does. thomas@ares:~$ ls -la /var/www/ total 12 drwxr-xr-x 2 root root 4096 Feb 13 15:16 . drwxr-xr-x 13 root root 4096 Apr 25 19:08 .. -rw-r--r-- 1 root root 177 Feb 13 15:16 index.html lrwxrwxrwx 1 root root 25 Feb 22 13:06 mythweb -> /usr/share/mythtv/mythweb Thanks, Thomas Mashos On Sun, May 5, 2013 at 11:24 AM, Chuck Peters wrote: > > This seems unwise... > Why do we have a symlink to the db username and password in the web root? > > root@io:~# ls -la /var/www/ > total 16 > drwxr-xr-x 3 root root 4096 May 5 02:55 . > drwxr-xr-x 14 root root 4096 May 5 04:07 .. > -rw-r--r-- 1 root root 177 May 5 00:42 index.html > lrwxrwxrwx 1 root root 28 May 5 02:55 mythexport -> > /usr/share/mythtv/mythexport > drwxr-xr-x 2 root root 4096 May 5 02:55 .mythtv > lrwxrwxrwx 1 root root 25 May 4 21:34 mythweb -> > /usr/share/mythtv/mythweb > root@io:~# ls -l /var/www/.mythtv/ > lrwxrwxrwx 1 root root 22 May 5 02:55 config.xml -> > /etc/mythtv/config.xml > root@io:~# ls -l /etc/mythtv/config.xml > -rw-rw 1 www-data mythtv 452 May 5 05:21 /etc/mythtv/config.xml > > > Although this is a new install, I was changing out the OS disk for the > MythTV master backend and restored our very large DB. > > > Thanks, > Chuck > > -- > Ubuntu-mythtv mailing list > Ubuntu-mythtv@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv > > -- Ubuntu-mythtv mailing list Ubuntu-mythtv@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-mythtv