This is the mail archive of the gnats-devel@sourceware.cygnus.com mailing list for the GNATS project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

gnatsweb 4.0 security

To: "'gnats-devel at sourceware dot cygnus dot com'" <gnats-devel at sourceware dot cygnus dot com>
Subject: gnatsweb 4.0 security
From: "Panon, Paul-Andre" <Paul-AndrePanon at SierraSystems dot com>
Date: Fri, 28 Apr 2000 11:06:58 -0700

Hello,

Our development group has been using gnats 3.113 and gnatsweb for a while
now and I just set up a test environment for Gnats 4.0. It seems to work
fine and the new features are very nice. I have a small suggestion for a
security change (which I unfortunately don't have time to change myself
right now).

Gnatsweb needs to be able to do a DBLS for the login page.  However this
function can only be performed if the web server has view access to the
gnats daemon.  As far as I have been able to tell, since you can't decrease
permissions with gnatsd.access, this means that you implicitly wind up
providing everybody view access to all your PR databases - even if you enter
*:*:deny in the database-specific gnatsd.access files.  Would it be possible
to modify the access levels of gnatsd.host_access to either allow the 'none'
access level to still do a DBLS, or to define a new access level that only
allows a DBLS command?

Paul-Andre Panon

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]