This is the mail archive of the
gnats-devel@sourceware.cygnus.com
mailing list for the GNATS project.
gnatsweb 4.0 security
- To: "'gnats-devel at sourceware dot cygnus dot com'" <gnats-devel at sourceware dot cygnus dot com>
- Subject: gnatsweb 4.0 security
- From: "Panon, Paul-Andre" <Paul-AndrePanon at SierraSystems dot com>
- Date: Fri, 28 Apr 2000 11:06:58 -0700
Hello,
Our development group has been using gnats 3.113 and gnatsweb for a while
now and I just set up a test environment for Gnats 4.0. It seems to work
fine and the new features are very nice. I have a small suggestion for a
security change (which I unfortunately don't have time to change myself
right now).
Gnatsweb needs to be able to do a DBLS for the login page. However this
function can only be performed if the web server has view access to the
gnats daemon. As far as I have been able to tell, since you can't decrease
permissions with gnatsd.access, this means that you implicitly wind up
providing everybody view access to all your PR databases - even if you enter
*:*:deny in the database-specific gnatsd.access files. Would it be possible
to modify the access levels of gnatsd.host_access to either allow the 'none'
access level to still do a DBLS, or to define a new access level that only
allows a DBLS command?
Paul-Andre Panon