xCAT Apache configuration prone to security leaks

[conxuro]

xCAT Apache configuration sets explicitly option Indexes and Require all granted to the whole /install directory. Both options can result in accessing to the custom config files (e.g. /install/custom as the documentation usually refers), and also to other files.

A more critical security issue is if full backups (with passwords and hosts) are made inside /install (like it is in a document example from https://xcat-docs.readthedocs.io/en/stable/guides/admin-guides/references/man1/dumpxCATdb.1.html)

[samveen]

The ticket #7448 is related to DB security as well.

[Obihoernchen]

Thank you for this report. I know about this limitation.
We probably won't change the defaults due to backwards compability but we will add some notes to the documentation.

Usually you should at least set 750 permissions to directories like /install/custom or /install/syncfiles. But the documentation does not tell you this right now.

[samveen]

My understanding of xCAT's security assumptions is that xCAT clusters are in private secured environments, with only incoming SSH access, given their historical use in private clusters.

Changing this assumption will probably lead to the need of an extensive effort to add and enhance security checks across the board. Maybe a tracker page can added to the documentation, so that people can view and additionally add security concerns to the documentation. That should at-least lead to a some ideas on improving security.