From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 30338 invoked from network); 30 Sep 2002 03:31:14 -0000 Received: from unknown (HELO monty-python.gnu.org) (199.232.76.173) by sources.redhat.com with SMTP; 30 Sep 2002 03:31:14 -0000 Received: from localhost ([127.0.0.1] helo=monty-python.gnu.org) by monty-python.gnu.org with esmtp (Exim 4.10) id 17vrGz-0005PT-00; Sun, 29 Sep 2002 23:31:05 -0400 Received: from list by monty-python.gnu.org with tmda-scanned (Exim 4.10) id 17vrG5-0004uW-00 for help-gnats@gnu.org; Sun, 29 Sep 2002 23:30:09 -0400 Received: from mail by monty-python.gnu.org with spam-scanned (Exim 4.10) id 17vrG2-0004se-00 for help-gnats@gnu.org; Sun, 29 Sep 2002 23:30:08 -0400 Received: from snipe.mail.pas.earthlink.net ([207.217.120.62]) by monty-python.gnu.org with esmtp (Exim 4.10) id 17vrG1-0004r2-00 for help-gnats@gnu.org; Sun, 29 Sep 2002 23:30:05 -0400 Received: from user-vcauks6.dsl.mindspring.com ([216.175.83.134] helo=zeewin) by snipe.mail.pas.earthlink.net with smtp (Exim 3.33 #1) id 17vrFn-0004H5-00; Sun, 29 Sep 2002 20:29:51 -0700 Reply-To: From: "Pankaj K Garg" To: "'Lars Henriksen'" , Cc: "'Dirk Schenkewitz'" , Subject: RE: Patch: Fix user authentication + MKDB Message-ID: <000001c26836$214c81e0$8d835f0f@home.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0001_01C267FB.75929C70" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Importance: Normal In-Reply-To: <20020929094001.GA1288963@cluster2.netman.dk> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: help-gnats-admin@gnu.org Errors-To: help-gnats-admin@gnu.org X-BeenThere: help-gnats@gnu.org X-Mailman-Version: 2.0.11 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: General discussion about GNU GNATS List-Archive: Date: Mon, 30 Sep 2002 03:21:00 -0000 X-SW-Source: 2002-q3/txt/msg00140.txt.bz2 This is a multi-part message in MIME format. ------=_NextPart_000_0001_01C267FB.75929C70 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-length: 743 >... > But as for DES/MD5 I believe the original code is correct: > > else > { > /* DES crypt or MD5 hash of the password */ > #ifdef HAVE_LIBCRYPT > char *encrypted = crypt (password, hash); > return encrypted && ! strcmp (encrypted, hash); > #else > /* TODO: log some warning */ > return FALSE; > #endif > } > ... Thanks, yes. I stand corrected. I was thrown off by the man page for crypt on my Linux machine. But on a bit of searching found out that FreeBSD crypt will do this. BTW, the documentation with FreeBSD also mentioned the use of $2$ for BlowFish algorithm. Should we mention that in the documentation? I'm attaching a corrected patch with the original DES/MD5 code. Regards Pankaj ------=_NextPart_000_0001_01C267FB.75929C70 Content-Type: text/plain; name="patchfile.out" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="patchfile.out" Content-length: 6977 Index: cmds.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvsroot/gnats/gnats/gnats/cmds.c,v retrieving revision 1.69 diff -u -p -r1.69 cmds.c --- cmds.c 12 Aug 2002 12:33:30 -0000 1.69 +++ cmds.c 30 Sep 2002 03:22:27 -0000 @@ -318,11 +318,11 @@ GNATS_user (int ac, char **av) printf ("%d %s\r\n", CODE_INFORMATION, access_level_str (user_access)); } - else if (ac =3D=3D 2) + else if ((ac =3D=3D 1) || (ac =3D=3D 2)) { if (databaseValid (currentDatabase)) { - if (gnatsdChdb (databaseName (currentDatabase), av[0], av[1], 0, + if (gnatsdChdb (databaseName (currentDatabase), av[0], ac =3D=3D 2 ? av= [1] : "", 0, &err) !=3D 0) { print_server_errors (err); @@ -339,14 +339,21 @@ GNATS_user (int ac, char **av) free (currentPassword); } currentUsername =3D xstrdup (av[0]); - currentPassword =3D xstrdup (av[1]); + if (ac =3D=3D 2) + { + currentPassword =3D xstrdup (av[1]); + } + else + { + currentPassword =3D (char *)""; + } printf ("%d Current database is not valid; use CHDB to set the database= \r\n", CODE_OK); } } else { - printf ("%d Need two arguments, username and password\r\n",=20 + printf ("%d Need one or two arguments, username and optionally a pas= sword\r\n",=20 CODE_CMD_ERROR); } } @@ -591,15 +598,19 @@ gnatsdChdb (const char *nameOfDb, const=20 free (currentUsername); } currentUsername =3D xstrdup (username); - } - - if (passwd !=3D NULL) - { +=20=20=20=20=20=20 if (currentPassword !=3D NULL) { free (currentPassword); } - currentPassword =3D xstrdup (passwd); + if (passwd !=3D NULL) + { + currentPassword =3D xstrdup (passwd); + } + else + { + currentPassword =3D NULL; + } } =20 if (currentUsername =3D=3D NULL) @@ -670,9 +681,9 @@ GNATS_chdb (int ac, char **av) const char *user =3D NULL; const char *passwd =3D NULL; =20 - if (ac !=3D 1 && ac !=3D 3) + if (ac !=3D 1 && ac !=3D 2 && ac !=3D 3) { - printf ("%d One or three arguments required.\r\n", CODE_CMD_ERROR);= =20 + printf ("%d One, two, or three arguments required.\r\n", CODE_CMD_ER= ROR);=20 return; } =20 @@ -681,6 +692,10 @@ GNATS_chdb (int ac, char **av) user =3D av[1]; passwd =3D av[2]; } + else if (ac =3D=3D 2) + { + user =3D av[1]; + } =20 if (gnatsdChdb (av[0], user, passwd, 0, &err) !=3D 0) { @@ -1786,11 +1801,11 @@ GNATS_help (int ac ATTRIBUTE_UNUSED, cha CODE_INFORMATION); printf ("%d- SUBM submit a new PR\r\n", CODE_INFORMATION); - printf ("%d- CHDB [ ]\r\n", + printf ("%d- CHDB [ []]\r\n", CODE_INFORMATION); printf ("%d- change GNATS ROOT to \r= \n", CODE_INFORMATION); - printf ("%d- USER Sets the current user\r\n", + printf ("%d- USER [] Sets the current user\r\n", CODE_INFORMATION); printf ("%d- USER Report current access level\r\n", CODE_INFORMATION); Index: gnatsd.access =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvsroot/gnats/gnats/gnats/gnatsd.access,v retrieving revision 1.5 diff -u -p -r1.5 gnatsd.access --- gnatsd.access 16 Oct 2001 15:06:56 -0000 1.5 +++ gnatsd.access 30 Sep 2002 03:22:27 -0000 @@ -14,9 +14,11 @@ # * userid: a user id to gain access to gnatsd # * password: a password for the user. Passwords prefixed by $0$ are # assumed to be plain-text. Passwords without a prefix are -# assumed to be encrypted with standard crypt(), while passw= ords +# assumed to be encrypted with standard (DES) crypt(), while= passwords # prefixed with $1$ are assumed to be MD5 encrypted. # MD5 and crypt() encryption may not be available on all sys= tems. +# An empty field value means that the user should not supply any +# password. # * access-level: (default =3D edit) # deny - gnatsd closes the connection # none - no further access until userid and password giv= en @@ -33,4 +35,4 @@ # It's ignored in gnatsd-adm/gnatsd.access since this file is alre= ady # database specific. # -#*:*:view: +#*::view: Index: gnatsd.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /cvsroot/gnats/gnats/gnats/gnatsd.c,v retrieving revision 1.47 diff -u -p -r1.47 gnatsd.c --- gnatsd.c 4 Aug 2002 10:58:29 -0000 1.47 +++ gnatsd.c 30 Sep 2002 03:22:27 -0000 @@ -253,21 +253,35 @@ match (const char *line, const char *pat static int password_match (const char *password, const char *hash) { - if (! strncmp (hash, "$0$", 3)) + if (strlen(password) && strlen(hash)) { - /* explicit plain-text password */ - return ! match (password, hash, TRUE); - } - else - { - /* DES crypt or MD5 hash of the password */ + if (! strncmp (hash, "$0$", 3)) + { + /* explicit plain-text password */ + return match (password, hash+3, TRUE); + } + else + { #ifdef HAVE_LIBCRYPT - char *encrypted =3D crypt (password, hash); - return encrypted && ! strcmp (encrypted, hash); + /* DES crypt or MD5 hash of the password */ + char *encrypted =3D crypt (password, hash); + return encrypted && ! strcmp (encrypted, hash); #else - /* TODO: log some warning */ - return FALSE; + /* TODO: log some warning */ + return FALSE; #endif + } + } + else + { + if (strlen(password)) + { + return FALSE; + } + else + { + return ! strlen(hash) ; + } } } =20 @@ -450,8 +464,11 @@ findUserAccessLevel (const char *file, c if (! password_match (passwd, ent->admFields[1])) { /* Username matched but password didn't. */ - *access =3D ACCESS_NONE; - found =3D 1; + if (strlen(ent->admFields[1]) && strlen(passwd)) + { + *access =3D ACCESS_NONE; + found =3D 1; + } } else { @@ -460,7 +477,10 @@ findUserAccessLevel (const char *file, c /* Compare all given names against the name of the requested database. */ const char *l2 =3D ent->admFields[3]; - +=09=09=20=20=20=20=20=20 + if (! strlen(l2)) + found =3D 1; +=09=09=20=20=20=20=20=20 while (l2 !=3D NULL && ! found) { char *token =3D get_next_field (&l2, ','); ------=_NextPart_000_0001_01C267FB.75929C70-- _______________________________________________ Help-gnats mailing list Help-gnats@gnu.org http://mail.gnu.org/mailman/listinfo/help-gnats