EPrints Technical Mailing List Archive

Message: #07794

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Eprints-tech Digest, Vol 127, Issue 17

Excellent!

 

A question for others (possibly to David or other core-committers):

 

This issue has come up a few times previously on the tech-list.

It's quite a bad situation in terms of the impact of this issue.

 

Should we attempt to introduce a warning somehow e.g. at Apache startup, or from a 'bin/epadmin test' that warns of possibly dangerous configuration like this?

 

This specific issue is difficult - the repository appears to be normal - and working as expected…

 

Cheers,

John

 

From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Denis Munyua via Eprints-tech
Sent: 12 April 2019 13:02
To: eprints-tech@ecs.soton.ac.uk
Subject: Re: [EP-tech] Eprints-tech Digest, Vol 127, Issue 17

 

Thank you,

 

It was broken and commenting the "$r->connection->remote_ip' line under ~/archives/[ARCHIVEID]/cfg/cfg.d/security.pl fixed the issue.

 

 

Sincerely,

 

 

On Fri, Apr 12, 2019 at 1:53 PM <eprints-tech-request@ecs.soton.ac.uk> wrote:

Send Eprints-tech mailing list submissions to
        eprints-tech@ecs.soton.ac.uk

To subscribe or unsubscribe via the World Wide Web, visit
        http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
or, via email, send a message with subject or body 'help' to
        eprints-tech-request@ecs.soton.ac.uk

You can reach the person managing the list at
        eprints-tech-owner@ecs.soton.ac.uk

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Eprints-tech digest..."


Today's Topics:

   1. Re: Security Level (Visible to:) (Newman D.R.)
   2. Re: Security Level (Visible to:) (John Salter)


----------------------------------------------------------------------

Message: 1
Date: Fri, 12 Apr 2019 10:04:43 +0000
From: "Newman D.R." <drn@ecs.soton.ac.uk>
Subject: Re: [EP-tech] Security Level (Visible to:)
To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>,
        "Denis  Munyua" <denis.munyua@gmail.com>
Message-ID:
        <EMEW3|bb7e13e12db0ebda93b5f99911a1dfbav3BB4v03drn|ecs.soton.ac.uk|1555063482.3266.225.camel@ecs.soton.ac.uk>

Content-Type: text/plain; charset="utf-8"

Hi Denis,

To confirm, you have been running Apache 2.4.25 (or at least some
version of 2.4) for some time prior to upgrading to EPrints to 3.3.16
and the problem with being able to access something you should not be
able to was not present directly prior to upgrading EPrints to 3.3.16?

Regards

David Newman

On Fri, 2019-04-12 at 12:28 +0300, Denis Munyua via Eprints-tech wrote:
> Hi John,
>
> Yes I upgraded from a previous version 3.3.* and this is not a cached
> copy. Am currently running:
> Apache/2.4.25 (Debian)
> Eprints 3.3.16
> Thanks,
>
> On Fri, Apr 12, 2019 at 12:10 PM <eprints-tech-request@ecs.soton.ac.u
> k> wrote:
> > Send Eprints-tech mailing list submissions to
> >         eprints-tech@ecs.soton.ac.uk
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec
> > h
> > or, via email, send a message with subject or body 'help' to
> >         eprints-tech-request@ecs.soton.ac.uk
> >
> > You can reach the person managing the list at
> >         eprints-tech-owner@ecs.soton.ac.uk
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Eprints-tech digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: Security Level (Visible to:) (John Salter)
> >    2. Re: Security Level (Visible to:) (Yuri)
> >
> >
> > -----------------------------------------------------------------
> > -----
> >
> > Message: 1
> > Date: Fri, 12 Apr 2019 08:58:16 +0000
> > From: John Salter <J.Salter@leeds.ac.uk>
> > Subject: Re: [EP-tech] Security Level (Visible to:)
> > To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>,
> >         "Denis  Munyua" <denis.munyua@gmail.com>
> > Message-ID:
> >         <DB6PR0302MB2711A82E5F7E1E2784DD3100C4280@DB6PR0302MB2711.e
> > urprd03.prod.outlook.com>
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Denis,
> >
> > Which version of Apache are you running (probably 2.2 or 2.4)?
> > Which version of EPrints are you running?
> > Have you upgraded EPrints from a previous version?
> >
> > Cheers,
> > John
> >
> >
> > From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bou
> > nces@ecs.soton.ac.uk] On Behalf Of Denis Munyua via Eprints-tech
> > Sent: 12 April 2019 09:43
> > To: eprints-tech@ecs.soton.ac.uk
> > Subject: [EP-tech] Security Level (Visible to:)
> >
> > Greetings,
> >
> > I set up a repository some time back and I noticed that even after
> > setting the security level for the [Thesis / Dissertation] to
> > [Repository Staff Only] users are still able to view and download
> > the full text.
> >
> > Please advise.
> >
> > --
> >
> > Denis Muny?a
> > P.O. Box 12510- 00100 | Nairobi, Kenya
> > Mobile: +254 720760340
> > Skype: denis.munyua
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachme
> > nts/20190412/8137bfce/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Fri, 12 Apr 2019 11:09:49 +0200
> > From: Yuri <yurj@alfa.it>
> > Subject: Re: [EP-tech] Security Level (Visible to:)
> > To: <eprints-tech@ecs.soton.ac.uk>
> > Message-ID: <6b46a457-fa7b-6481-6754-b11bcd98081a@alfa.it" target="_blank">6b46a457-fa7b-6481-6754-b11bcd98081a@alfa.it>
> > Content-Type: text/plain; charset="utf-8"; format=flowed
> >
> > It is the cache in the browser?
> >
> > Il 12/04/19 10:58, John Salter via Eprints-tech ha scritto:
> > >
> > > Hi Denis,
> > >
> > > Which version of Apache are you running (probably 2.2 or 2.4)?
> > >
> > > Which version of EPrints are you running?
> > >
> > > Have you upgraded EPrints from a previous version?
> > >
> > > Cheers,
> > >
> > > John
> > >
> > > *From:*eprints-tech-bounces@ecs.soton.ac.uk
> > > [mailto:eprints-tech-bounces@ecs.soton.ac.uk] *On Behalf Of
> > *Denis
> > > Munyua via Eprints-tech
> > > *Sent:* 12 April 2019 09:43
> > > *To:* eprints-tech@ecs.soton.ac.uk
> > > *Subject:* [EP-tech] Security Level (Visible to:)
> > >
> > > Greetings,
> > >
> > > I set up a repository some time back and I noticed that even
> > after
> > > setting the security level for the [Thesis / Dissertation] to
> > > [Repository Staff Only] users are still able to view and download
> > the
> > > full text.
> > >
> > > Please advise.
> > >
> > > --
> > >
> > > Denis Muny?a
> > > P.O. Box 12510- 00100 | Nairobi, Kenya
> > > Mobile: +254 720760340
> > > Skype: denis.munyua
> > >
> > >
> > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri
> > nts-tech
> > > *** Archive: https://eur03.safelinks.protection.outlook.com/?url="">
> > http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=""> > > ts-
> > tech%40ecs.soton.ac.uk%7Cd415218c525a4b96b87b08d6bf26a095%7C4a5378f
> > 929f44d3ebe89669d03ada9d8%7C0&amp;sdata=5eRCuJUkBrHye1LeOIuuJOHRa5V
> > Q8KXpnhH%2Bh4Mu0Ac%3D&amp;reserved=0
> > > *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url="">
> > tlook.com/?url="">
> > eprints-
> > tech%40ecs.soton.ac.uk%7Cd415218c525a4b96b87b08d6bf26a095%7C4a5378f
> > 929f44d3ebe89669d03ada9d8%7C0&amp;sdata=v%2FsHnQc%2BCdgX9o9xIrMCr2U
> > t62A%2FxlhTv%2FB8XdyB5pM%3D&amp;reserved=0
> > > *** EPrints developers Forum: https://eur03.safelinks.protection.outlook.com/?url="">.
> > outlook.com/?url="">
> > %7Ceprints-
> > tech%40ecs.soton.ac.uk%7Cd415218c525a4b96b87b08d6bf26a095%7C4a5378f
> > 929f44d3ebe89669d03ada9d8%7C0&amp;sdata=R6hKGnEdFkMlPqvLrpn0tvhY99Z
> > mLCtfzS4RFPCemzA%3D&amp;reserved=0
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Eprints-tech mailing list
> > Eprints-tech@ecs.soton.ac.uk
> > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> >
> >
> > End of Eprints-tech Digest, Vol 127, Issue 15
> > *********************************************
> >
>
> --
> Denis Muny?a
> P.O. Box 12510- 00100 | Nairobi, Kenya
> Mobile: +254 720760340
> Skype: denis.munyua
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
> tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url="">
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url="">
> *** EPrints developers Forum: https://eur03.safelinks.protection.outlook.com/?url="">



------------------------------

Message: 2
Date: Fri, 12 Apr 2019 10:52:41 +0000
From: John Salter <J.Salter@leeds.ac.uk>
Subject: Re: [EP-tech] Security Level (Visible to:)
To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>,
        "Newman D.R." <drn@ecs.soton.ac.uk>,    "Denis  Munyua"
        <denis.munyua@gmail.com>
Message-ID:
        <DB6PR0302MB27114368373B6EAF3630F474C4280@DB6PR0302MB2711.eurprd03.prod.outlook.com" target="_blank">DB6PR0302MB27114368373B6EAF3630F474C4280@DB6PR0302MB2711.eurprd03.prod.outlook.com>

Content-Type: text/plain; charset="utf-8"

Hi Denis,
You should take a look at you file:

~/archives/[ARCHIVEID]/cfg/cfg.d/security.pl
And compare it with:
~/lib/defaultcfg/cfg.d/security.pl

If in your archive copy of security.pl you have a reference to:
    $r->connection->remote_ip
Under Apache 2.4, it will be broken.

This explains it: https://eur03.safelinks.protection.outlook.com/?url="">

Let me know if you need more help!
Cheers,
John

-----Original Message-----
From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Newman D.R. via Eprints-tech
Sent: 12 April 2019 11:05
To: eprints-tech@ecs.soton.ac.uk; Denis Munyua <denis.munyua@gmail.com>
Subject: Re: [EP-tech] Security Level (Visible to:)

Hi Denis,

To confirm, you have been running Apache 2.4.25 (or at least some
version of 2.4) for some time prior to upgrading to EPrints to 3.3.16
and the problem with being able to access something you should not be
able to was not present directly prior to upgrading EPrints to 3.3.16?

Regards

David Newman

On Fri, 2019-04-12 at 12:28 +0300, Denis Munyua via Eprints-tech wrote:
> Hi John,
>
> Yes I upgraded from a previous version 3.3.* and this is not a cached
> copy. Am currently running:
> Apache/2.4.25 (Debian)
> Eprints 3.3.16
> Thanks,
>
> On Fri, Apr 12, 2019 at 12:10 PM <eprints-tech-request@ecs.soton.ac.u
> k> wrote:
> > Send Eprints-tech mailing list submissions to
> >         eprints-tech@ecs.soton.ac.uk
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >         http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec
> > h
> > or, via email, send a message with subject or body 'help' to
> >         eprints-tech-request@ecs.soton.ac.uk
> >
> > You can reach the person managing the list at
> >         eprints-tech-owner@ecs.soton.ac.uk
> >
> > When replying, please edit your Subject line so it is more specific
> > than "Re: Contents of Eprints-tech digest..."
> >
> >
> > Today's Topics:
> >
> >    1. Re: Security Level (Visible to:) (John Salter)
> >    2. Re: Security Level (Visible to:) (Yuri)
> >
> >
> > -----------------------------------------------------------------
> > -----
> >
> > Message: 1
> > Date: Fri, 12 Apr 2019 08:58:16 +0000
> > From: John Salter <J.Salter@leeds.ac.uk>
> > Subject: Re: [EP-tech] Security Level (Visible to:)
> > To: "eprints-tech@ecs.soton.ac.uk" <eprints-tech@ecs.soton.ac.uk>,
> >         "Denis  Munyua" <denis.munyua@gmail.com>
> > Message-ID:
> >         <DB6PR0302MB2711A82E5F7E1E2784DD3100C4280@DB6PR0302MB2711.e
> > urprd03.prod.outlook.com>
> >
> > Content-Type: text/plain; charset="utf-8"
> >
> > Hi Denis,
> >
> > Which version of Apache are you running (probably 2.2 or 2.4)?
> > Which version of EPrints are you running?
> > Have you upgraded EPrints from a previous version?
> >
> > Cheers,
> > John
> >
> >
> > From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bou
> > nces@ecs.soton.ac.uk] On Behalf Of Denis Munyua via Eprints-tech
> > Sent: 12 April 2019 09:43
> > To: eprints-tech@ecs.soton.ac.uk
> > Subject: [EP-tech] Security Level (Visible to:)
> >
> > Greetings,
> >
> > I set up a repository some time back and I noticed that even after
> > setting the security level for the [Thesis / Dissertation] to
> > [Repository Staff Only] users are still able to view and download
> > the full text.
> >
> > Please advise.
> >
> > --
> >
> > Denis Muny?a
> > P.O. Box 12510- 00100 | Nairobi, Kenya
> > Mobile: +254 720760340
> > Skype: denis.munyua
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachme
> > nts/20190412/8137bfce/attachment-0001.html
> >
> > ------------------------------
> >
> > Message: 2
> > Date: Fri, 12 Apr 2019 11:09:49 +0200
> > From: Yuri <yurj@alfa.it>
> > Subject: Re: [EP-tech] Security Level (Visible to:)
> > To: <eprints-tech@ecs.soton.ac.uk>
> > Message-ID: <6b46a457-fa7b-6481-6754-b11bcd98081a@alfa.it" target="_blank">6b46a457-fa7b-6481-6754-b11bcd98081a@alfa.it>
> > Content-Type: text/plain; charset="utf-8"; format=flowed
> >
> > It is the cache in the browser?
> >
> > Il 12/04/19 10:58, John Salter via Eprints-tech ha scritto:
> > >
> > > Hi Denis,
> > >
> > > Which version of Apache are you running (probably 2.2 or 2.4)?
> > >
> > > Which version of EPrints are you running?
> > >
> > > Have you upgraded EPrints from a previous version?
> > >
> > > Cheers,
> > >
> > > John
> > >
> > > *From:*eprints-tech-bounces@ecs.soton.ac.uk
> > > [mailto:eprints-tech-bounces@ecs.soton.ac.uk] *On Behalf Of
> > *Denis
> > > Munyua via Eprints-tech
> > > *Sent:* 12 April 2019 09:43
> > > *To:* eprints-tech@ecs.soton.ac.uk
> > > *Subject:* [EP-tech] Security Level (Visible to:)
> > >
> > > Greetings,
> > >
> > > I set up a repository some time back and I noticed that even
> > after
> > > setting the security level for the [Thesis / Dissertation] to
> > > [Repository Staff Only] users are still able to view and download
> > the
> > > full text.
> > >
> > > Please advise.
> > >
> > > --
> > >
> > > Denis Muny?a
> > > P.O. Box 12510- 00100 | Nairobi, Kenya
> > > Mobile: +254 720760340
> > > Skype: denis.munyua
> > >
> > >
> > > *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri
> > nts-tech
> > > *** Archive: https://eur03.safelinks.protection.outlook.com/?url="">
> > http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=""> > > ts-
> > tech%40ecs.soton.ac.uk%7Cd415218c525a4b96b87b08d6bf26a095%7C4a5378f
> > 929f44d3ebe89669d03ada9d8%7C0&amp;sdata=5eRCuJUkBrHye1LeOIuuJOHRa5V
> > Q8KXpnhH%2Bh4Mu0Ac%3D&amp;reserved=0
> > > *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url="">
> > tlook.com/?url="">
> > eprints-
> > tech%40ecs.soton.ac.uk%7Cd415218c525a4b96b87b08d6bf26a095%7C4a5378f
> > 929f44d3ebe89669d03ada9d8%7C0&amp;sdata=v%2FsHnQc%2BCdgX9o9xIrMCr2U
> > t62A%2FxlhTv%2FB8XdyB5pM%3D&amp;reserved=0
> > > *** EPrints developers Forum: https://eur03.safelinks.protection.outlook.com/?url="">.
> > outlook.com/?url="">
> > %7Ceprints-
> > tech%40ecs.soton.ac.uk%7Cd415218c525a4b96b87b08d6bf26a095%7C4a5378f
> > 929f44d3ebe89669d03ada9d8%7C0&amp;sdata=R6hKGnEdFkMlPqvLrpn0tvhY99Z
> > mLCtfzS4RFPCemzA%3D&amp;reserved=0
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Eprints-tech mailing list
> > Eprints-tech@ecs.soton.ac.uk
> > http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> >
> >
> > End of Eprints-tech Digest, Vol 127, Issue 15
> > *********************************************
> >
>
> --
> Denis Muny?a
> P.O. Box 12510- 00100 | Nairobi, Kenya
> Mobile: +254 720760340
> Skype: denis.munyua
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
> tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url="">
> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url="">
> *** EPrints developers Forum: https://eur03.safelinks.protection.outlook.com/?url="">

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: https://eur03.safelinks.protection.outlook.com/?url="">
*** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url="">
*** EPrints developers Forum: https://eur03.safelinks.protection.outlook.com/?url="">



------------------------------

_______________________________________________
Eprints-tech mailing list
Eprints-tech@ecs.soton.ac.uk
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech


End of Eprints-tech Digest, Vol 127, Issue 17
*********************************************


 

--

Denis Munyũa
P.O. Box 12510- 00100 | Nairobi, Kenya
Mobile: +254 720760340
Skype: denis.munyua