You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jim Jagielski <ji...@jaguNET.com> on 2010/06/21 14:40:40 UTC
server-status and privacy
There have been a few reports regarding how server-status "leaks"
info, mostly about our (the ASF's) open use of server-status and
how IP addresses are exposed.
I'm thinking about a patch that adjusts server-status/mod_status
to have a "public vs. private" setting... Public would be to
have IP addresses exposed as public info; private would be to
not expose 'em (keep 'em private).
Comments?
Re: server-status and privacy
Posted by Nicholas Sherlock <n....@gmail.com>.
On 23/06/2010 8:20 p.m., Paul Querna wrote:
> 4) How is it a "completely unreasonable violation" of privacy to show
> request urls to a public website, with zero private content or
> anything even remotely sensitive, and associate that with an IP
> address? IP address X was looking up how to configure Hadoop... and
> that harms someone how? We aren't a search engine, we don't host
> anything that is embarrassing or private on the public server-status
> pages.
So if an attacker sees your company researching patches for a particular
vulnerability reported on apache.org, that wouldn't be useful to them?
I don't know what hellhole you live in where companies casually
broadcasing your every interaction with them is considered acceptable.
Nicholas Sherlock
Re: server-status and privacy
Posted by Paul Querna <pa...@querna.org>.
On Tue, Jun 22, 2010 at 6:23 PM, Nicholas Sherlock <n....@gmail.com> wrote:
> On 22/06/2010 12:40 a.m., Jim Jagielski wrote:
>>
>> There have been a few reports regarding how server-status "leaks"
>> info, mostly about our (the ASF's) open use of server-status and
>> how IP addresses are exposed.
>>
>> I'm thinking about a patch that adjusts server-status/mod_status
>> to have a "public vs. private" setting... Public would be to
>> have IP addresses exposed as public info; private would be to
>> not expose 'em (keep 'em private).
>>
>> Comments?
>
> I can't believe when I informed apache.org of this issue 70 days ago, that
> the immediate response wasn't simply to disable server-status or restrict it
> to clients from within Apache's network. It is a completely unreasonable
> violation of your customer's privacy to broadcast their IP addresses and
> viewing habits.
1) This configuration has been present on apache.org for at least 10
years, probably longer. Maybe the rest of the internet's expectation
of IP address privacy has changed in that time, but the server-status
on apache.org has been there for a long time.
2) There is no 'apache network' to restrict access from -- the real
asf server admins are random people all over the world.
3) I'm not really sure this belongs on dev@httpd at all,
infrastructure@apache.org is likely where you want to send complaints
of this type. A feature request to add obfuscation to mod_status
might be interesting to some, but its not really related to
apache.org's configuration.
4) How is it a "completely unreasonable violation" of privacy to show
request urls to a public website, with zero private content or
anything even remotely sensitive, and associate that with an IP
address? IP address X was looking up how to configure Hadoop... and
that harms someone how? We aren't a search engine, we don't host
anything that is embarrassing or private on the public server-status
pages.
Thanks,
Paul
Re: server-status and privacy
Posted by Nicholas Sherlock <n....@gmail.com>.
On 22/06/2010 12:40 a.m., Jim Jagielski wrote:
> There have been a few reports regarding how server-status "leaks"
> info, mostly about our (the ASF's) open use of server-status and
> how IP addresses are exposed.
>
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
>
> Comments?
I can't believe when I informed apache.org of this issue 70 days ago,
that the immediate response wasn't simply to disable server-status or
restrict it to clients from within Apache's network. It is a completely
unreasonable violation of your customer's privacy to broadcast their IP
addresses and viewing habits.
I sat and sniffed server-status today for an hour and saw lots of
interesting things. These people thought it was interesting too:
Client - Requests for "/server-status?auto"
'121.2.73.140', '2'
'204.232.198.45', '18'
'209.40.196.203', '261'
'217.193.165.235', '27'
'222.73.44.146', '10'
'222.73.45.200', '15'
'222.73.68.35', '7'
'222.73.86.253', '17'
'61.57.131.230', '100'
'62.49.67.115', '18'
'64.27.116.177', '3'
'67.188.126.141', '3'
'67.199.134.1', '62'
'68.87.42.115', '13'
'69.70.70.186', '12'
'74.103.140.133', '172'
'81.0.134.157', '1'
'92.106.225.35', '42'
Client - Requests for "/server-status"
'118.90.8.44', '550' <- That's me
'119.63.88.205', '80'
'187.34.7.120', '1'
'217.193.165.235', '16'
'222.73.68.35', '1'
'60.195.252.106', '24'
'64.27.116.177', '12'
'68.87.42.115', '68'
'81.0.134.157', '37'
'92.106.225.35', '1'
Cheers,
Nicholas Sherlock
Re: server-status and privacy
Posted by Albert Lash <al...@docunext.com>.
> There have been a few reports regarding how server-status "leaks"
> info, mostly about our (the ASF's) open use of server-status and
> how IP addresses are exposed.
>
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
>
> Comments?
>
This is a cool idea! It reminds me of the ability to privatize email
addresses when publishing mailing lists as html with something like
Monharc.
FYI - when I first read your email, I thought you were proposing some sort
of ACL keywords for public v. private subnets.
--
http://www.docunext.com/
Re: server-status and privacy
Posted by Rainer Jung <ra...@kippdata.de>.
On 21.06.2010 14:40, Jim Jagielski wrote:
> There have been a few reports regarding how server-status "leaks"
> info, mostly about our (the ASF's) open use of server-status and
> how IP addresses are exposed.
>
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
>
> Comments?
Seems necessary according to privacy laws in various countries.
What about the request URL and the VHost name? Both are not necessarily
publicly known information, i.e. you could "leak" what URLs respectively
VHosts are there. More of a security than a privacy issue though.
Finally an attacker can derive the MPM sizing and check the
effectiveness of DOS attacks from the server status, but I guess admins
afraid about that will never (publicly) enable the server status.
So IMHO: w.r.t. privacy, removing the client IP is good and might even
be necessary for admins who only want to provide the server status to a
restricted group of users.
Optionally removing VHost and URL might allow more admins to make the
server status available to an even bigger group of people, but if there
are only two choices, full data and restricted data, I would prefer them
to be still shown even in the restricted mode.
Regards,
Rainer
Re: server-status and privacy
Posted by Nick Kew <ni...@webthing.com>.
On 21 Jun 2010, at 13:40, Jim Jagielski wrote:
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
>
> Comments?
+1 on the principle.
How about tying it to password-protection?
If r->user is NULL, then blank out IP addresses?
--
Nick Kew
RE: server-status and privacy
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Jeff Trawick
> Sent: Mittwoch, 23. Juni 2010 18:43
> To: dev@httpd.apache.org
> Subject: Re: server-status and privacy
>
> On Wed, Jun 23, 2010 at 12:09 PM, William A. Rowe Jr.
> <wr...@rowe-clan.net> wrote:
> > On 6/23/2010 10:49 AM, Jim Jagielski wrote:
> >>
> >> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
> >>
> >>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski
> <ji...@jagunet.com> wrote:
> >>>> There have been a few reports regarding how server-status "leaks"
> >>>> info, mostly about our (the ASF's) open use of server-status and
> >>>> how IP addresses are exposed.
> >>>>
> >>>> I'm thinking about a patch that adjusts server-status/mod_status
> >>>> to have a "public vs. private" setting... Public would be to
> >>>> have IP addresses exposed as public info; private would be to
> >>>> not expose 'em (keep 'em private).
> >>>
> >>> use mod_sed or similar on apache.org to change the client
> IP address
> >>> field to "?"
> >>
> >> True... so I'm guessing this means that the patch would
> >> be unacceptable?
> >
> > If it's an obfuscation (truncated hash of IP?) that lets
> the admin/users
> > see that one individual has tying up 10 connections, I
> don't think it's
> > a bad idea to patch (mod_sed isn't going to do that
> effectively). +/-0
> > on patching to disable the field entirely.
> >
>
> admins can set up unobfuscated /server-status-foo with auth required;
> if they care about a single client IP tying up n connections, they
> want to see IP address too
>
> nearly zero sites want a public server-status page with
> obfuscated/omitted client IP address; why write new code to handle
> that?
>
+1 on that. I see no need for a patch here. The situation on the apache.org
site is IMHO unique and should be fixed with mod_sed / mod_substitute.
Regards
Rüdiger
Re: server-status and privacy
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Jun 23, 2010 at 12:09 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> On 6/23/2010 10:49 AM, Jim Jagielski wrote:
>>
>> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
>>
>>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>>> There have been a few reports regarding how server-status "leaks"
>>>> info, mostly about our (the ASF's) open use of server-status and
>>>> how IP addresses are exposed.
>>>>
>>>> I'm thinking about a patch that adjusts server-status/mod_status
>>>> to have a "public vs. private" setting... Public would be to
>>>> have IP addresses exposed as public info; private would be to
>>>> not expose 'em (keep 'em private).
>>>
>>> use mod_sed or similar on apache.org to change the client IP address
>>> field to "?"
>>
>> True... so I'm guessing this means that the patch would
>> be unacceptable?
>
> If it's an obfuscation (truncated hash of IP?) that lets the admin/users
> see that one individual has tying up 10 connections, I don't think it's
> a bad idea to patch (mod_sed isn't going to do that effectively). +/-0
> on patching to disable the field entirely.
>
admins can set up unobfuscated /server-status-foo with auth required;
if they care about a single client IP tying up n connections, they
want to see IP address too
nearly zero sites want a public server-status page with
obfuscated/omitted client IP address; why write new code to handle
that?
Re: server-status and privacy
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 6/23/2010 10:49 AM, Jim Jagielski wrote:
>
> On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
>
>> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>>> There have been a few reports regarding how server-status "leaks"
>>> info, mostly about our (the ASF's) open use of server-status and
>>> how IP addresses are exposed.
>>>
>>> I'm thinking about a patch that adjusts server-status/mod_status
>>> to have a "public vs. private" setting... Public would be to
>>> have IP addresses exposed as public info; private would be to
>>> not expose 'em (keep 'em private).
>>
>> use mod_sed or similar on apache.org to change the client IP address
>> field to "?"
>
> True... so I'm guessing this means that the patch would
> be unacceptable?
If it's an obfuscation (truncated hash of IP?) that lets the admin/users
see that one individual has tying up 10 connections, I don't think it's
a bad idea to patch (mod_sed isn't going to do that effectively). +/-0
on patching to disable the field entirely.
Re: server-status and privacy
Posted by Jim Jagielski <ji...@jaguNET.com>.
On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote:
> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <ji...@jagunet.com> wrote:
>> There have been a few reports regarding how server-status "leaks"
>> info, mostly about our (the ASF's) open use of server-status and
>> how IP addresses are exposed.
>>
>> I'm thinking about a patch that adjusts server-status/mod_status
>> to have a "public vs. private" setting... Public would be to
>> have IP addresses exposed as public info; private would be to
>> not expose 'em (keep 'em private).
>
> use mod_sed or similar on apache.org to change the client IP address
> field to "?"
>
True... so I'm guessing this means that the patch would
be unacceptable?
Re: server-status and privacy
Posted by Jeff Trawick <tr...@gmail.com>.
On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <ji...@jagunet.com> wrote:
> There have been a few reports regarding how server-status "leaks"
> info, mostly about our (the ASF's) open use of server-status and
> how IP addresses are exposed.
>
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
use mod_sed or similar on apache.org to change the client IP address
field to "?"
Re: server-status and privacy
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 6/21/2010 7:40 AM, Jim Jagielski wrote:
> There have been a few reports regarding how server-status "leaks"
> info, mostly about our (the ASF's) open use of server-status and
> how IP addresses are exposed.
>
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
>
> Comments?
Sounds sensible, but it becomes a problem to distinguish clients.
What about 8 or 9 digits of a sha1 hash on the client (e.g. something
that would look a bit like a mac), purely invented and truncated to
allow the admin to see patterns in who is accessing the machine?
Re: server-status and privacy
Posted by Jeff Trawick <tr...@gmail.com>.
On Thu, Jun 24, 2010 at 9:00 AM, Eric Covener <co...@gmail.com> wrote:
>> A general capability would need to be added to the server to handle
>> this situation (e.g., restrict one/all handler adjustment from
>> .htaccess when FileInfo can be overridden, or something else
>> altogether).
>
> How about two mod_status directives:
>
> * option for "ServerStatus ON|OFF" valid in <Location>
> * a per-server option to only respond to the new flag
>
> Perhaps with differing defaults for the latter in 2.2 and 2.4
mod_info, mod_anything-activated-via-sethandler
Re: server-status and privacy
Posted by Eric Covener <co...@gmail.com>.
> A general capability would need to be added to the server to handle
> this situation (e.g., restrict one/all handler adjustment from
> .htaccess when FileInfo can be overridden, or something else
> altogether).
How about two mod_status directives:
* option for "ServerStatus ON|OFF" valid in <Location>
* a per-server option to only respond to the new flag
Perhaps with differing defaults for the latter in 2.2 and 2.4
--
Eric Covener
covener@gmail.com
Re: server-status and privacy
Posted by Jeff Trawick <tr...@gmail.com>.
On Thu, Jun 24, 2010 at 7:05 AM, gmx@schwicking.de <gm...@schwicking.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nick Kew wrote:
>> On 22 Jun 2010, at 08:20, gmx@schwicking.de wrote:
>>
>>> Just as a hint: i posted a patch about two weeks ago,
>>
>> Pointer? Was that somewhere in bugzilla? I don't see it on-list.
>>
> I have not opened a bug report yet. I was about to, when this thread
> started.
>
> If the outcome of this thread is, that nothing will be done, i will open
> a bug report and attach the patch.
>
> The patch is also attached to this mail for your convinience :-)
Configuring the mod_status handler name is no real solution and won't
be committed.
A general capability would need to be added to the server to handle
this situation (e.g., restrict one/all handler adjustment from
.htaccess when FileInfo can be overridden, or something else
altogether).
In the meantime, just edit your mod_status.c to change the handler
name and lock down the config and anything that can look at it
(filesystem access/mod_perl/mod_info/???).
Re: server-status and privacy
Posted by "gmx@schwicking.de" <gm...@schwicking.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nick Kew wrote:
> On 22 Jun 2010, at 08:20, gmx@schwicking.de wrote:
>
>> Just as a hint: i posted a patch about two weeks ago,
>
> Pointer? Was that somewhere in bugzilla? I don't see it on-list.
>
I have not opened a bug report yet. I was about to, when this thread
started.
If the outcome of this thread is, that nothing will be done, i will open
a bug report and attach the patch.
The patch is also attached to this mail for your convinience :-)
regards
volker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwjPBEACgkQHaTGAGocg2JXggCgtX+9RZ9SPxAUlkyTeplzSngE
r2wAn2uxLbX7TYcMEmLBi/y28rEDgKk5
=QjbV
-----END PGP SIGNATURE-----
Re: server-status and privacy
Posted by Nick Kew <ni...@webthing.com>.
On 22 Jun 2010, at 08:20, gmx@schwicking.de wrote:
> Just as a hint: i posted a patch about two weeks ago,
Pointer? Was that somewhere in bugzilla? I don't see it on-list.
--
Nick Kew
Re: server-status and privacy
Posted by "gmx@schwicking.de" <gm...@schwicking.de>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
> I'm thinking about a patch that adjusts server-status/mod_status
> to have a "public vs. private" setting... Public would be to
> have IP addresses exposed as public info; private would be to
> not expose 'em (keep 'em private).
>
> Comments?
Just as a hint: i posted a patch about two weeks ago, that enables a
(sort of) privacy setting for the server-status. The patch adds a new
directive (ServerStatusHandlerName <string>) and enables the admin to
customize the handlername for the mod_status module.
That way, other users (in a shared hosting enviroment), can not simply use
"SetHandler server-status"
in their htaccess-files anymore. For us that does the trick.
- From my experience, no admin (knowingly) makes the server-status
available to the public (and of course shouldnt). It should be used by
admins to view the servers current load, child status, remote ips and
for example to investigate in heavy-load situations (etc.).
What point does a server-status have, if i cant see the remote ip (and
for example roughly sum them up), use the requested url shown to
reproduce some sort of error or see the status of the current apache
childs and realize, that too many are in WAIT?
- From my point of view, renaming/customizing the handler is sufficient
and my patch already does that :-).
regards
volker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwgZCQACgkQHaTGAGocg2KtFQCfaWzucPVij8bgZmdvx8uSYJJu
TKAAn3kQmxcgOXBo5tJk2yrhOV9rmNbj
=mjjR
-----END PGP SIGNATURE-----