[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: GNATS authentication
|
From: |
Hon-Chi Ng |
|
Subject: |
RE: GNATS authentication |
|
Date: |
Tue, 9 Oct 2001 10:33:12 -0700 |
Hi Yngve
>
>From: Yngve Svendsen <address@hidden>
>To: "holly sadeghi" <address@hidden>
>Cc: address@hidden, address@hidden
>Subject: GNATS authentication
>Date: Mon, 08 Oct 2001 21:45:53 +0200
>
...
>
>Ideally, you should be able to set access level 'none' for all hosts, so
>users would be required to authenticate in order to do anything. The
>problem with this is that Gnatsweb has to get a list of available databases
>before the user can be asked to log in, and that is not possible in GNATS
>3, since the DBLS command is unavailable when the access level is set to
>'none'. And still, anyone would be able to submit PRs. The DBLS problem
>will be fixed in GNATS 4, where there will be a separate access level which
>allows only the DBLS command to be executed.
My workaround is to make the default database "foo" viewable by anyone which
is used as test/debug/sandbox database, and make the rest of database denied
to those otherwise authorized.
E.g.
a) In gnats-db/gnats-adm/gnatsd.conf of all databases,
*:none:
b) In gnats-db/gnats-adm/gnatsd.access for default database "foo",
User1:Passwd1:edit:
*:*:view:
c) In gnats-db/gnats-adm/gnatsd.access for the rest of databases,
User2:Passwd2:edit:
User3:Passwd3:view:
*:*:deny:
>
>Unfortunately, GNATS 4 will not be much improved wrt. to security, except
>for the DBLS fix. However, we have implemented a workaround in Gnatsweb 4.
>If you limit access to GNATS so that Gnatsweb is the only available
>interface, you can require users to authenticate against the web server
>before they're allowed access to Gnatsweb. Gnatsweb can be configured to
>pick up the username the user authenticated to the web server with and use
>that as the GNATS username. Basically, you would have an empty user
>database in gnatsd.access and an entry in gnatsd.conf saying
>
>localhost:edit:
>
>(assuming the web server runs on the GNATS server machine)
>
...
>
>All in all, GNATS security is messy and weak. I'd like to invite people to
>air their views on this subject -- perhaps we could end up with a
>specification for a more robust security and authentication model?
Yngve, is it possible to
a) make the web server authentication default for GnatsWeb, and
2. possibly an option to tell GNATS 4 to use /etc/passwd, NIS passwd
or Apache AuthUserFile for users' passwords instead those in
gnats-adm/gnatsd.access? They may not be the most secure way, but
at least better than the plain text password in
gnats-adm/gnatsd.access.
In other words, what I'm proposing is
- use gnats-adm/gnatsd.access for authorization control, and
- use /etc/passwd, NIS passwd or Apache AuthUserFile for
authentication control.
>
>Yngve Svendsen
>
Thanks.
Just my 2c.
Hon-Chi
------------------------------------------------------------
--== Sent via Deja.com ==--
http://www.deja.com/