Page 1 of 2

Privacy issues of a default authenticated configuration?

Posted: Thu Jan 18, 2007 7:14 pm
by MJN
Whilst OPT_USE_AUTH is (I believe) disabled by default I'm sure many/most people enable this to afford themselves some privacy with their ZM installation (in addition to shaping individual access rights).

However, I see that /events/ and /images/ are viewable by everyone (authenticated or not) and not affected by the setting above. Of course, this may not allow 'live' viewing but it certainly makes visible any recorded events (which could be arguably of more 'interest').

Have I got this right, and were others aware?

I appreciate that ZM does allow external authentication, in which case the whole path would be 'secured' however I see that (understandably) this isn't the default method setting.

Mathew

Posted: Thu Jan 18, 2007 7:27 pm
by cordel
This has been discused before and you are correct if you have apache set to index directories. ZoneMinder is only one peice of the whole system and you as an administrator are responcible to correctly setup, maintain, etc.

NOTE: !WARNING! ACHTUNG- Your server should be carefully tested and monitored before being trusted. The safety and security of your network and hosts is YOUR responsibility - we do our best to put out a high-quality server, but its up to you to decide how your network will be managed, apache configured, etc. as we have no control of how you setup your system.

Posted: Thu Jan 18, 2007 7:34 pm
by MJN
True, however even if Apache's auto-indexing is disabled (or otherwise ignored via a custom default.htm/index.htm file entry) the file naming format is fixed (okay, so it can be changed but I wonder how many do) hence it can easily be guessed (or even brute forced).

I hope this isn't taken as any criticism (heck - look at my post count... I'm hardly qualified to say what's right, wrong, good or bad!) but I was just wondering if others were aware of the extent of the built-in authentication's bailiwick.

Mathew

Posted: Thu Jan 18, 2007 7:46 pm
by cordel
That is correct unless you setup http auth in apache or employ on of the many other methods to lock down those directories. If you disable the indexing it will still be available but someone would not be able to browse the directories. there is no control on a jpeg picture except for placing out side of the web directory, and that increases the resorces required by php to access those files by alot.

Please note that ZoneMinder, Mysql, PERL, and Apache are moderately advanced
system administration topics. If you aren't comfortable with general system administration, and similar topics, I would suggest reviewing Apache, and mysql documents at a minimum and become familuar with them. I hate to and have no intention of discouraging people, but I'm morally opposed to helping people destroy their machines, and there are other issues that should be taken into accout as well. Most of the Howto posted here are okay to use but do not always take security into account, as well as I have seen a few posts/notes that actualy open more serious vulnerabilities.

Now with the disclaimer out of the way ;)

I'm open to suggestions if anyone might have any. I personaly use basic http authentication that queries against my users in the zm database. It works fine for me but you lose the control over your users.

Posted: Thu Jan 18, 2007 8:46 pm
by MJN
I'm trying HTTP authentication but am hitting the proverbial brick wall...

I've configured ZM for remote authentication (AUTH_TYPE) and left AUTH_RELAY as hashed. Apache is now configured as:

Code: Select all

<Directory "/var/www/zm/">
 .
 .
 AuthType Basic
 AuthName "Restricted Area - Username and Password Required"
 AuthUserFile /home/mathew/NewtonNet/ZMhtpasswds
 Require valid-user
</Directory>
..and when hitting the ZM console I'm prompted (by Apache) for the username/password and once through get the console (login confirmed as admin).

However, whilst I can view stills I can't see either live streaming, recorded streaming or the zones page. For each I'm getting:

Code: Select all

Jan 18 20:42:38 localhost zms[22065]: ERR [Unable to authenticate user]
So whilst authentication between Apache and the main ZM is fine, it is seemingly not passing on the authentication details to other components.

Any ideas what I'm doing wrong?

Mathew

Posted: Thu Jan 18, 2007 8:59 pm
by MJN
Ahh... Just in case I send you off scratching your head I've just set AUTH_RELAY to None and AUTH_HASH_IPS to disabled and it's working.

Will now investigate which if these was causing my issue (and why) but thought I'd better tell you as there's nothing worse than trying to solve someone's problem only to find out they'd fixed it but not come back to say so!

Mathew

Posted: Thu Jan 18, 2007 9:14 pm
by MJN
Hmmm... It's AUTH_RELAY causing me the problem. If set to None then all is well - Apache HTTP authentication works fine, ZM console fires up fine and I can view/do everything.

However, if AUTH_RELAY is set to Hashed then Apache auth is fine, ZM console fine, stills fine, but anything involving the zms backend fails:

Code: Select all

01/18/07 21:03:31.395711 zms[22934].INF-zm_debug.c/304 [New Debug Level = 9, New Debug Log = /tmp/zm_debug.log.22934]
01/18/07 21:03:31.396076 zms[22934].DB1-zms.cpp/84 [Query: mode=jpeg&monitor=1&scale=100&maxfps=15&auth=4f0223dedbacdf2d5171f480e7453350&rand=1169154210]
01/18/07 21:03:31.396168 zms[22934].DB1-zm_user.cpp/162 [Attempting to authenticate user from auth string '4f0223dedbacdf2d5171f480e7453350']

<My main user details snipped leaving just the temporary test account below>

01/18/07 21:03:31.396941 zms[22934].DB1-zm_user.cpp/219 [Checking auth_key 'test7dcda0d57290b45382.46.99.5021180107' -> auth_md5 '575ecb83ab8dc0f321d18d3ee436c1e8']
01/18/07 21:03:31.397001 zms[22934].DB1-zm_user.cpp/219 [Checking auth_key 'test7dcda0d57290b45382.46.99.5020180107' -> auth_md5 '50f42d9c8b1b625d7f456cb78ea0aa9b']
01/18/07 21:03:31.397041 zms[22934].ERR-zms.cpp/190 [Unable to authenticate user]
And, even worse, if AUTH_RELAY is set to plain I get:

Code: Select all

01/18/07 21:10:11.578685 zms[23078].INF-zm_debug.c/304 [New Debug Level = 9, New Debug Log= /tmp/zm_debug.log.23078]
01/18/07 21:10:11.579046 zms[23078].DB1-zms.cpp/84 [Query: mode=jpeg&monitor=1&scale=100&maxfps=15&user=admin&pass=&rand=1169154610]
01/18/07 21:10:11.579165 zms[23078].ERR-zm_signal.cpp/77 [Got signal (Segmentation fault), crashing]
01/18/07 21:10:11.579262 zms[23078].ERR-zm_signal.cpp/89 [Signal address is (nil), from 0xb7c115b0]
01/18/07 21:10:11.579693 zms[23078].ERR-zm_signal.cpp/116 [Backtrace: /lib/tls/i686/cmov/libc.so.6(strncpy+0x30) [0xb7c115b0]]
01/18/07 21:10:11.579786 zms[23078].ERR-zm_signal.cpp/116 [Backtrace: /lib/tls/i686/cmov/libc.so.6(strncpy+0x30) [0xb7c115b0]]
01/18/07 21:10:11.579868 zms[23078].ERR-zm_signal.cpp/116 [Backtrace: /usr/lib/cgi-bin/nph-zms [0x804b041]]
01/18/07 21:10:11.579949 zms[23078].ERR-zm_signal.cpp/116 [Backtrace: /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xd2) [0xb7bbbea2]]
01/18/07 21:10:11.580030 zms[23078].ERR-zm_signal.cpp/116 [Backtrace: /usr/lib/cgi-bin/nph-zms(__gxx_personality_v0+0x9d) [0x804a4e1]]
01/18/07 21:10:11.580111 zms[23078].INF-zm_signal.cpp/117 [Backtrace complete]
Notwithstanding the above failures/errors, what would be the drawback of me setting AUTH_RELAY to none (given that this enables me fully-functioning HTTP auth)? System access is tightly controlled, for what that's worth.

Mathew

Posted: Thu Jan 18, 2007 9:26 pm
by cordel
Just to make sure...
You are restarting zm so the the process's can pick up the new settings?

Posted: Thu Jan 18, 2007 9:34 pm
by MJN
Sure am - being quite rigorous in that regard (even restarting the browser to ensure the authentication starts from scratch each time).

Incidentally, when I was using ZM's built-in authentication AUTH_RELAY was set to Hashed so it was working fine then if that's any clue...?

Mathew

P.S. Don't bust a gut on this Cordel - I'd be quite happy to move back to the built-in auth and prevent auto-indexing of /events as thinking about it now the odds of someone predicting/guessing the full path name to an image is slim/nil if I change the directory name to something non-standard (all my authenticated users are fully trusted so them knowing the path is of no concern). Of course, if leaving AUTH_RELAY set to None is no problem (security-wise) then I guess I've got free choice? Perhaps therein lies my ignorance... ;)

Posted: Tue Jan 23, 2007 10:12 pm
by zoneminder
Hiding of direct image access in ZM is on the to do list but not very near the top at present.

Posted: Tue Jan 23, 2007 10:47 pm
by MJN
I agree it's far from being an urgent requirement.

An easy workaround if it bothers anyone is of course to simply change the default path/file-names or, with a bit more effort, use http auth (which can easily be applied to the entire tree).

Mathew

Posted: Wed Apr 25, 2007 12:56 am
by cordel
Wow, sorry I lost this topic Mathew :shock:
What I usualy do is remove the indexing of the entire zm tree so includes the events directory. In the RPM I place a zm.conf in /etc/httpd/conf.d with the following config:

Code: Select all

#----------------------------------------------------------------------------
#        USAGE:		None
#
#	DESCRIPTION:	Apache config file to alias the web directorys to /usr/lib/zm
#	OPTIONS:	None
#	REQUIREMENTS:	Apache, ZM
# 
#	AUTHOR:		Corey DeLasaux, Serg Oskin
#	VERSION:  	1.0
#      	CREATED:  	03/11/2005 17:12:00 PDT
#=============================================================================

Alias /zm "/usr/lib/zm/html/"
<Directory "/usr/lib/zm/html">
    Options MultiViews FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from all
</Directory>

ScriptAlias /cgi-bin/zm/ "/usr/lib/zm/cgi-bin/"
<Directory "/usr/lib/zm/cgi-bin">
    AllowOverride All
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory>
Serg and myself came up with this on the second rpm release a couple years back. Of course the paths would need to be adjusted to be of any use to anyone not using the RPM.

Posted: Wed Apr 25, 2007 9:41 pm
by MJN
No worries about the 'slow' follow-up! I'm all sorted now using Apache passwords and SSL so things have been overtaken by events, for me at least.

Incidentally, whilst your fix re disabling directory listings may stop idle browsing it doesn't stop a would-be 'attacker' from guessing the full path URL (as mentioned a few posts back) - chances are they'd get it right given the default naming standard, and could therefore even run a cyclical script trawling up the number ranges.

Mathew

Posted: Mon Apr 30, 2007 11:37 am
by John Williams
Here is what I did for the Ubuntu deb that Peter is building....would be nice to include it in a future update...please check to see if I got it right. I merged what he already had with the cgi-bin part. I am an apache noob so not sure, really...

Code: Select all

#----------------------------------------------------------------------------
#        USAGE:      None
#
#   DESCRIPTION:   Apache config file to alias the web directorys to /usr/lib/zm
#   OPTIONS:   None
#   REQUIREMENTS:   Apache, ZM
#
#   AUTHOR:      Corey DeLasaux, Serg Oskin
#   VERSION:     1.0
#         CREATED:     03/11/2005 17:12:00 PDT
#         MODIFIED:    04/30/2007 06:31:00 EDT
#=============================================================================

Alias /zm /usr/share/zoneminder

<Directory /usr/share/zoneminder>
  php_flag register_globals off
  Options Indexes FollowSymLinks
  <IfModule mod_dir.c>
    DirectoryIndex index.php
  </IfModule>
</Directory>

ScriptAlias /cgi-bin/zm/ "/usr/share/zoneminder/cgi-bin/"
<Directory "/usr/share/zoneminder/cgi-bin">
    AllowOverride All
    Options ExecCGI
    Order allow,deny
    Allow from all
</Directory> 

Posted: Mon Apr 30, 2007 1:12 pm
by robi
cordel wrote:The safety and security of your network and hosts is YOUR responsibility.
Well I did it like this: ZM box is behind a router/firewall, opened only a port for ssh and one for ftp (for other appplications). Whenever I want to see the console, I open a ssh tunnel where I forward ports between the two localhosts. This way I get an encrypted connection plus the chance not to keep port open for apache.