* gnatsweb 4.0 security
@ 2000-04-28 11:07 Panon, Paul-Andre
0 siblings, 0 replies; only message in thread
From: Panon, Paul-Andre @ 2000-04-28 11:07 UTC (permalink / raw)
To: 'gnats-devel@sourceware.cygnus.com'
Hello,
Our development group has been using gnats 3.113 and gnatsweb for a while
now and I just set up a test environment for Gnats 4.0. It seems to work
fine and the new features are very nice. I have a small suggestion for a
security change (which I unfortunately don't have time to change myself
right now).
Gnatsweb needs to be able to do a DBLS for the login page. However this
function can only be performed if the web server has view access to the
gnats daemon. As far as I have been able to tell, since you can't decrease
permissions with gnatsd.access, this means that you implicitly wind up
providing everybody view access to all your PR databases - even if you enter
*:*:deny in the database-specific gnatsd.access files. Would it be possible
to modify the access levels of gnatsd.host_access to either allow the 'none'
access level to still do a DBLS, or to define a new access level that only
allows a DBLS command?
Paul-Andre Panon
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2000-04-28 11:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2000-04-28 11:07 gnatsweb 4.0 security Panon, Paul-Andre
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).