From 236450cab3385d2b5dcf7bc22abb47f28c9f1b35 Mon Sep 17 00:00:00 2001
From: Ken Dreyer <ktdreyer@ktdreyer.com>
Date: Oct 27 2011 22:46:35 +0000
Subject: block HTTP access to log and rra directories (BZ #609856)


---

diff --git a/cacti-httpd.conf b/cacti-httpd.conf
index b8b9a5c..9187aa6 100644
--- a/cacti-httpd.conf
+++ b/cacti-httpd.conf
@@ -1,6 +1,10 @@
 #
 # Cacti: An rrd based graphing tool
 #
+
+# Change "Allow from 127.0.0.1" to open up cacti to other network devices.
+# For example, change "Allow from 127.0.0.1" to "Allow from all".
+
 Alias /cacti    /usr/share/cacti
 
 <Directory /usr/share/cacti/>
@@ -9,3 +13,15 @@ Alias /cacti    /usr/share/cacti
 	Allow from 127.0.0.1
 </Directory>
 
+
+# The sections marked "deny from all" should not be modified.
+# These are in place in order to harden cacti.
+<Directory /usr/share/cacti/log>
+    order deny,allow
+    Deny from all
+</Directory>
+<Directory /usr/share/cacti/rra>
+    order deny,allow
+    Deny from all
+</Directory>
+
diff --git a/cacti.README.Fedora b/cacti.README.Fedora
index 3b5e35d..acb284b 100644
--- a/cacti.README.Fedora
+++ b/cacti.README.Fedora
@@ -1,6 +1,10 @@
-In order for Cacti to function properly please properly edit /etc/cacti/db.php
-and enable the crontab script in /etc/cron.d/cacti  For more information about
-setting up the database please read:
+In order for Cacti to function properly, please edit the following:
+
+/etc/cacti/db.php
+/etc/cron.d/cacti
+/etc/http/conf.d/cacti.conf
+
+For more information about setting up the database please read:
 
 docs/INSTALL