WARNING: Dreamhost's One-Click Install for Trac still has a security flaw

I first noticed this two years ago (http://www.destructuring.net/2012/03/23/dreamhost-ux-security-flaw/) and contacted Dreamhost. It has yet to be fixed.

If you create a “Private” subversion repository on Dreamhost ( username + password are required to view ) and then add a “One Click Install” of Trac to that private repository ( which is marked as “Private” in their installer ), the Trac instance does not have any security permissions. The entirety of your source code is readable through the Trac browser.

Here’s a illustration:

• Private SVN Repository – http://svn.2xlp.com/ExampleTracSvn/svn
• Default Trac Install – http://svn.2xlp.com/ExampleTracSvn/trac/browser/README.txt

While many people may want to have a Publicly readable repo for ticketing, I think it’s safe to say that most people who use a “One Click Install” are not familiar enough with the intricacies of Trac to know about it’s permissions system.

If you’re affected the easiest fix you can implement, is to add a .htaccess file to your trac directory.

A better fix, is to get off Dreamhost’s OneClickInstall entirely. The Trac One-Click-Install is a halfassed and terrible approach.

Dreamhost did something smart with their Subversion install. Your home directory has a `svn` subdirectory which contains some specific files for each subversion repo:

* RepoName/ ( the actual repo )
* RepoName.access (a .htaccess file for your repo )
* RepoName.passwd ( a htpassed file for the repo’s access file )

It’s a very smart an elegant solution. The Trac install, however, is anything but.

1. Dreamhost installs one version of the Trac library in your home directory for each trac instance. If you have 5 tracs, you have 5 directories like `~/webroot_svn_2xlp_com_ExampleTracSvn_trac_trac`

2. Dreamhost installs the entire Trac environment and database in a web directory. The configuration files, database, everything, are available in an Apache served directory — controlled only by .htaccess files.

A better way to manage Trac, is to create a `~/trac` subdirectory of your home folder, and centralize all your trac projects. You can then use .htaccess files and symlinks to expose the relevant directories to the internet at large.

This will guard you against situations where an erroneous .htaccess file renders your contents as raw-data ( it happens ).

If you have more than one Trac installation, you would probably benefit from installing Trac as a Python library and having multiple projects reference it.

Leave a Reply

Your email address will not be published. Required fields are marked *