[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] User Authorization for Administration

Subject: [cobalt-developers] User Authorization for Administration
From: "Jose Luis Aguilar" <jlaguilar@xxxxxxx>
Date: Sun Oct 8 09:59:01 2000
List-id: Mailing list for developers on Cobalt Networks products <cobalt-developers.list.cobalt.com>

If a cobalt employee is reading, this question is mainly for Cobalt:

I have been doing some extra development with the RAQ UI and one feature I
need, is to be able to add users to the admin group of a web site. In the
past, if you added the user to the siteX group of the web site, that would
do it.

For example:

In the "/etc/group" file:

site4: admin, siteAdmin, otherAdmin

This would allow users" admin, siteAdmin, and otherAdmin to do
administration for the web site #4.

I just realize that Cobalt changed the "user_authok" function which tells if
it is ok for a user to access the site administration or not. Now, even if
you add a user to the siteX group, he will not be able to access the
administration screens if the user does not belong to the same web site.

For example, in my case: "otherAdmin" belongs to the root site of the RAQ
(group home). And he is not longer able to administer the web site #4.

My question is:

Why did Cobalt change this function?
Was there a security hole doing it the other way?
Can I add the line that was taken away, and keep it secure?

They only changed one line in the "user_authok" function:

Before, it was:

  return 1 if (($access =~ /\bgroup\b/) and
	 	    grep(/\b$group\b/, user_list_groups($user)));


Now, it is:

 return 1 if (($access =~ /\bgroup\b/) and $group and
              ($group eq (user_list_site($user))[1]));



Here is the whole function, found in the "User.pm" file of the Cobalt perl
libraries:

sub user_authok
# description: check the access rights of a user.
# input: $user, "admin|site-adm|group", [$group if "group" selected]
# output: 0 on denial, 1 on access.
{
    my ($user, $access, $group) = @_;

    return 0 unless $user;
    return 1 if ($user eq $AdminUser);
    return 1 if (($access =~ /\badmin\b/) and ($user eq $AdminUser));
    return 1 if (($access =~ /\bsite-adm\b/) and
                 grep(/\b$user\b/, group_show($Sites_AdminGroup)));
        return 1 if (($access =~ /\bgroup\b/) and $group and
                                ($group eq (user_list_site($user))[1]));
    return 0;
}



Thanks,

Jose Aguilar

Prev by Date: Re: [[cobalt-developers] [RaQ3] VI, and telnet commands]
Next by Date: Re: [[cobalt-developers] [RaQ3] VI, and telnet commands]
Previous by thread: [cobalt-developers] JDBC for MySQL
Next by thread: [cobalt-developers] Restricting Telnet Users

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index