[security advisory] http://wiki.nginx.org/Redmine

Francis Daly francis at daoine.org
Mon Mar 9 22:50:11 UTC 2015 

On Mon, Mar 09, 2015 at 08:24:43PM +0200, Gena Makhomed wrote:
> On 09.03.2015 19:25, Francis Daly wrote:

Hi there,

> >But the user must have followed some documentation to install redmine in
> >the first place; and if they unthinkingly install it into /var/www/redmine
> >they are probably doing something wrong before nginx gets involved.
> 
> redmine documentation:
> http://www.redmine.org/projects/redmine/wiki/RedmineInstall
> don't forbid users to install redmine into /var/www/redmine

Yes, redmine can be installed anywhere on the filesystem.

> even more, redmine documentation:
> http://www.redmine.org/projects/redmine/wiki/HowTo_install_Redmine_on_CentOS_5
> RECOMMENDS to install redmine into /var/www/redmine
> see: "Configure /var/www/redmine/config/database.yml"

Yes, that url shows redmine installed to /var/www/redmine.

In that case, the nginx "root" should be /var/www/redmine/public.

The url
http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_using_Debian_package
includes the line "ln -s /usr/share/redmine/public /var/www/redmine".

The url
http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_on_Debian_Squeeze_with_Postgresql_Ruby-on-Rails_and_Apache2-Passenger
includes the line "ln -s /var/lib/redmine/public /var/www/redmine".

The url
http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_2_integrated_with_Gitolite_2_on_Debian_Wheezy_with_Apache_and_Phusion_Passenger
includes the lines "cd /var/www; ln -s /opt/redmine/public redmine"

In those cases the nginx "root" should be /var/www/redmine.

The nginx configuration must match the redmine installation that was done.

There does not appear to be consistent documentation on where redmine
is expected to be installed.

>From an nginx perspective, change "root" to match where the web documents
are. That's what the wiki page said, and that's what the wiki page says,
so it's all good.

> >I see instructions to install to /opt/redmine, and to /var/lib/redmine,
> >and to /usr/share/redmine, and in each case they say to do something like
> >
> >   ln -s /usr/share/redmine/public /var/www/redmine
> >
> >to have only the web-accessible content below /var/www/redmine.
> 
> I don't see such instructions at the http://wiki.nginx.org/Redmine

Correct.

It looks like the nginx wiki page assumed one type of redmine install,
without documenting exactly what type of install it assumed. That appears
to still be the case, so that's all good too.

> User must guess than they must change from "root /var/www/redmine;"
> to "root /var/www/redmine/public;" to fix this unobvious vulnerability?

Perhaps it will be useful for someone to note that the "root" directive
value in nginx must be the root directory of the redmine web content,
which is the "public" directory of the redmine distribution. That appears
not to have been clear on the nginx wiki page.

> >>Request https://redmine.example.com/config/database.yml will be
> >>processed by nginx, because file /var/www/redmine/config/database.yml
> >>exists. For details - see manual about try_files directive in nginx.
> >
> >The file /var/www/redmine/config/database.yml should not exist.
> 
> it MUST exists, because redmine install
> instructions suppose that such file exists:
> "Configure /var/www/redmine/config/database.yml"

There is more than one set of redmine install instructions. The one you
followed wanted a different "root" directive than what was on the nginx
wiki. Now it wants the "root" directive that is on the nginx wiki.

> >If the file /var/www/redmine/config/database.yml does exist and the
> >above nginx configuration is used, then the user will find that no part
> >of their redmine web-related installation will work, because all of the
> >images and stylesheets and javascripts are inaccessible.
> 
> No, if nginx frontend can't process such non-existend files,
> it just silently proxy request to backend and backend process
> such request without any problems.

That, I was not aware of. Thank you for correcting me.

I guess it must happen because the back-end web server has been configured
with the "right" DocumentRoot or whatever equivalent it uses. (Or
maybe it is hardcoded to always look in "public" so does not need extra
configuration.)

> >Correspondingly, if the user has installed only web content below
> >/var/www, then using a different "root" directive will cause that
> >installation not to work.
> 
> redmine documentation at redmine site recomments install
> entire redmine into /var/www/redmine directory, not only public content.

The redmine installation instructions are something that the redmine
people might be interested in making more consistent.

In nginx, everything on the filesystem below your "root" value is
potentially accessible to the world. So it is prudent to set it to a
directory that only contains public information. The nginx wiki page
shows that now.

All the best,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list