Skip to content

fix: disable Apache directory indexing on /install and /tftpboot#33

Merged
viniciusferrao merged 1 commit into
masterfrom
fix/apache-disable-directory-indexing
May 4, 2026
Merged

fix: disable Apache directory indexing on /install and /tftpboot#33
viniciusferrao merged 1 commit into
masterfrom
fix/apache-disable-directory-indexing

Conversation

@viniciusferrao

@viniciusferrao viniciusferrao commented May 4, 2026

Copy link
Copy Markdown
Member

Summary

Disable Apache directory indexing (autoindex) on /install and /tftpboot to prevent unauthenticated information disclosure. Provisioning-critical directories that require recursive wget access retain explicit Indexes exceptions.

Problem: The default xCAT Apache config ships with Options Indexes on /install and /tftpboot, allowing anyone with network access to browse the full directory tree — including postscripts, CA certificates, SSH authorized_keys, and (in production) kickstart files with password hashes.

Fix:

  • Remove Indexes from parent /install and /tftpboot directory blocks
  • Add targeted Indexes exceptions for /install/postscripts and /install/post (required by xcatdsklspost and otherpkgs recursive wget)
  • Use absolute Options directives to prevent inheriting unsafe parent settings
  • All four shipped config variants updated (MN/SN × Apache 2.2/2.4)
  • New Apache hardening documentation with upgrade instructions for both Apache versions

What remains indexed (required for provisioning)

Path Reason
/install/postscripts/ xcatdsklspost, post.xcat, cumulusztp use recursive wget
/install/post/ otherpkgs uses recursive wget for package directories
/opt/xcat/share/doc/ xcat-doc browsing (harmless)

What is now blocked (403 on directory listing)

Path Previously exposed
/install/ Full tree listing
/install/custom/ Custom scripts, potential credentials
/install/autoinst/ Kickstart files with password hashes
/tftpboot/ PXE configs, boot topology

Direct file access by known path continues to work for all paths.

Test plan

  • apachectl configtest — Syntax OK
  • /install/ returns 403 (directory listing blocked)
  • /tftpboot/ returns 403 (directory listing blocked)
  • /install/postscripts/ returns 200 with full listing (recursive wget works)
  • Direct file access (syslog, ca-cert.pem, getcredentials.awk) returns 200
  • /xcat-doc/ returns 200 (preserved)
  • rpower and xCAT daemon unaffected
  • git diff --check clean
  • Adversarial review converged (5 passes)

Addresses xcat2#7450

@viniciusferrao
fix: disable Apache directory indexing on /install and /tftpboot
5035697 
The default xCAT Apache configuration shipped with Options Indexes
enabled for the /install and /tftpboot directories. This allowed
unauthenticated users to browse directory listings, disclosing the
full tree of postscripts, boot files, and (in production deployments)
potentially kickstart files with password hashes, custom scripts with
embedded credentials, and cluster topology details.

Replace Options Indexes with -Indexes in all four shipped Apache config
files (MN and SN, Apache 2.2 and 2.4 variants). Direct file access
by known path continues to work, so all provisioning workflows are
unaffected. Directory browsing for /xcat-doc is preserved as it
contains only public documentation.

Additionally, add an Apache hardening guide documenting recommended
permissions for sensitive directories under /install, network binding
best practices, and IP-based access control options.

Addresses xcat2#7450
@viniciusferrao

viniciusferrao commented May 4, 2026

Copy link
Copy Markdown
Member Author

Provisioning Validation (xCAT 2.18.0, Ubuntu 24.04 MN)

Tested on a lab xCAT 2.18.0 management node with Ubuntu 24.04 compute nodes (KVM VMs).

Apache behavior with patched config

/install/             → 403 (directory listing blocked)
/install/postscripts/ → 200 (listing available for recursive wget)

Recursive wget simulation (what xcatdsklspost does)

# wget -l inf -nH -N -r --waitretry=1 -e robots=off -T 10 -nH \
#   --cut-dirs=2 --reject "index.html*" --no-parent \
#   http://10.10.0.254/install/postscripts/ -P /tmp/xcatpost_test

Downloaded: 241 files, 1.8M in 0.002s (865 MB/s)
Files in /tmp/xcatpost_test: 151

All postscripts downloaded successfully — provisioning path unbroken.

Conclusion

The patched Apache config correctly blocks directory browsing on /install/ root while preserving the recursive wget flow that xcatdsklspost, post.xcat, and otherpkgs depend on.

@viniciusferrao viniciusferrao merged commit 679bed8 into master May 4, 2026
1 check passed
@viniciusferrao viniciusferrao deleted the fix/apache-disable-directory-indexing branch May 7, 2026 03:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@viniciusferrao