Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Improvements to privilege processing and the "Security Audit" page /secaudit0. |
|---|---|
| Downloads: | Tarball | ZIP archive | SQL archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA3-256: |
397d23c161aa500223a84969427b4f14 |
| User & Date: | drh 2018-08-17 12:32:26 |
Context
|
2018-08-17
| ||
| 13:04 | Break out the user configuration pages into a separate "setupuser.c" source file. check-in: a49ed35b user: drh tags: trunk | |
| 12:32 | Improvements to privilege processing and the "Security Audit" page /secaudit0. check-in: 397d23c1 user: drh tags: trunk | |
| 01:27 | Allow + signs in email addresses. Added a comment to link to a source giving the true limit on legal characters in email addresses, which are currently far less restrictive than our newly-expanded limits. check-in: 1bfd7903 user: wyoung tags: trunk | |
Changes
Changes to src/capabilities.c.
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
** if "u" is present and "developer" if "v" is present.
*/
void capability_expand(CapabilityString *pIn){
static char *zNobody = 0;
static char *zAnon = 0;
static char *zReader = 0;
static char *zDev = 0;
if( pIn==0 ){
fossil_free(zNobody); zNobody = 0;
fossil_free(zAnon); zAnon = 0;
fossil_free(zReader); zReader = 0;
fossil_free(zDev); zDev = 0;
return;
}
if( pIn->x['v'] ){
if( zDev==0 ){
zDev = db_text(0, "SELECT cap FROM user WHERE login='developer'");
}
pIn = capability_add(pIn, zDev);
}
if( pIn->x['u'] ){
if( zReader==0 ){
zReader = db_text(0, "SELECT cap FROM user WHERE login='reader'");
}
pIn = capability_add(pIn, zReader);
}
if( zNobody==0 ){
zNobody = db_text(0, "SELECT cap FROM user WHERE login='nobody'");
zAnon = db_text(0, "SELECT cap FROM user WHERE login='anonymous'");
}
pIn = capability_add(pIn, zAnon);
pIn = capability_add(pIn, zNobody);
}
/*
** Render a capability string in canonical string format. Space to hold
** the returned string is obtained from fossil_malloc() can should be freed
** by the caller.
*/
|
> < < < < < < < < < < < < > > > > > > > > > > > > |
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 |
** if "u" is present and "developer" if "v" is present.
*/
void capability_expand(CapabilityString *pIn){
static char *zNobody = 0;
static char *zAnon = 0;
static char *zReader = 0;
static char *zDev = 0;
int doneV = 0;
if( pIn==0 ){
fossil_free(zNobody); zNobody = 0;
fossil_free(zAnon); zAnon = 0;
fossil_free(zReader); zReader = 0;
fossil_free(zDev); zDev = 0;
return;
}
if( zNobody==0 ){
zNobody = db_text(0, "SELECT cap FROM user WHERE login='nobody'");
zAnon = db_text(0, "SELECT cap FROM user WHERE login='anonymous'");
zReader = db_text(0, "SELECT cap FROM user WHERE login='reader'");
zDev = db_text(0, "SELECT cap FROM user WHERE login='developer'");
}
pIn = capability_add(pIn, zAnon);
pIn = capability_add(pIn, zNobody);
if( pIn->x['v'] ){
pIn = capability_add(pIn, zDev);
doneV = 1;
}
if( pIn->x['u'] ){
pIn = capability_add(pIn, zReader);
if( pIn->x['v'] && !doneV ){
pIn = capability_add(pIn, zDev);
}
}
}
/*
** Render a capability string in canonical string format. Space to hold
** the returned string is obtained from fossil_malloc() can should be freed
** by the caller.
*/
|
Changes to src/login.c.
1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 |
case '3': p->WrForum = 1;
case '2': p->RdForum = 1; break;
case '7': p->EmailAlert = 1; break;
case 'A': p->Announce = 1; break;
case 'D': p->Debug = 1; break;
/* The "u" privileges is a little different. It recursively
** inherits all privileges of the user named "reader" */
case 'u': {
if( (flags & LOGIN_IGNORE_UV)==0 ){
const char *zUser;
zUser = db_text("", "SELECT cap FROM user WHERE login='reader'");
login_set_capabilities(zUser, flags | LOGIN_IGNORE_UV);
}
break;
}
/* The "v" privileges is a little different. It recursively
** inherits all privileges of the user named "developer" */
case 'v': {
if( (flags & LOGIN_IGNORE_UV)==0 ){
const char *zDev;
zDev = db_text("", "SELECT cap FROM user WHERE login='developer'");
login_set_capabilities(zDev, flags | LOGIN_IGNORE_UV);
}
break;
}
}
}
}
|
| | > | | | > | |
1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 |
case '3': p->WrForum = 1;
case '2': p->RdForum = 1; break;
case '7': p->EmailAlert = 1; break;
case 'A': p->Announce = 1; break;
case 'D': p->Debug = 1; break;
/* The "u" privilege recursively
** inherits all privileges of the user named "reader" */
case 'u': {
if( p->XReader==0 ){
const char *zUser;
p->XReader = 1;
zUser = db_text("", "SELECT cap FROM user WHERE login='reader'");
login_set_capabilities(zUser, flags);
}
break;
}
/* The "v" privilege recursively
** inherits all privileges of the user named "developer" */
case 'v': {
if( p->XDeveloper==0 ){
const char *zDev;
p->XDeveloper = 1;
zDev = db_text("", "SELECT cap FROM user WHERE login='developer'");
login_set_capabilities(zDev, flags);
}
break;
}
}
}
}
|
Changes to src/main.c.
98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
char WrForum; /* 3: Create new forum posts */ char WrTForum; /* 4: Post to forums not subject to moderation */ char ModForum; /* 5: Moderate (approve or reject) forum posts */ char AdminForum; /* 6: Set or remove capability 4 on other users */ char EmailAlert; /* 7: Sign up for email notifications */ char Announce; /* A: Send announcements */ char Debug; /* D: show extra Fossil debugging features */ }; #ifdef FOSSIL_ENABLE_TCL /* ** All Tcl related context information is in this structure. This structure ** definition has been copied from and should be kept in sync with the one in ** "th_tcl.c". |
> > > |
98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 |
char WrForum; /* 3: Create new forum posts */ char WrTForum; /* 4: Post to forums not subject to moderation */ char ModForum; /* 5: Moderate (approve or reject) forum posts */ char AdminForum; /* 6: Set or remove capability 4 on other users */ char EmailAlert; /* 7: Sign up for email notifications */ char Announce; /* A: Send announcements */ char Debug; /* D: show extra Fossil debugging features */ /* These last two are included to block infinite recursion */ char XReader; /* u: Inherit all privileges of "reader" */ char XDeveloper; /* v: Inherit all privileges of "developer" */ }; #ifdef FOSSIL_ENABLE_TCL /* ** All Tcl related context information is in this structure. This structure ** definition has been copied from and should be kept in sync with the one in ** "th_tcl.c". |
Changes to src/security_audit.c.
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 ... 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 ... 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 ... 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 |
@ <ol>
/* Step 1: Determine if the repository is public or private. "Public"
** means that any anonymous user on the internet can access all content.
** "Private" repos require (non-anonymous) login to access all content,
** though some content may be accessible anonymously.
*/
zAnonCap = db_text("", "SELECT capunion(cap) FROM user"
" WHERE login IN ('anonymous','nobody')");
zPubPages = db_get("public-pages",0);
if( hasAnyCap(zAnonCap,"as") ){
@ <li><p>This repository is <big><b>Wildly INSECURE</b></big> because
@ it grants administrator privileges to anonymous users. You
@ should <a href="takeitprivate">take this repository private</a>
@ immediately! Or, at least remove the Setup and Admin privileges
@ for users "anonymous" and "login" on the
................................................................................
** from tickets.
*/
if( hasAnyCap(zAnonCap, "e") ){
@ <li><p><b>WARNING:</b>
@ Anonymous users can view email addresses and other personally
@ identifiable information on tickets.
@ <p>Fix this by removing the "Email" privilege
@ (<a href="setup_ucap_list">capability "e") from users
@ "anonymous" and "nobody" on the
@ <a href="setup_ulist">User Configuration</a> page.
}
/* Anonymous users probably should not be allowed to push content
** to the repository.
*/
................................................................................
@ <a href="setup_ulist">User Configuration</a> page or
}
/* Administrative privilege should only be provided to
** specific individuals, not to entire classes of people.
** And not too many people should have administrator privilege.
*/
z = db_text(0, "SELECT group_concat(login,' AND ') FROM user"
" WHERE cap GLOB '*[as]*'"
" AND login in ('anonymous','nobody','reader','developer')");
if( z && z[0] ){
@ <li><p>
@ Administrative privilege is granted to an entire class of users
@ (%h(z)). Ideally, the Write-Unver privilege should only be
@ granted to specific individuals.
}
n = db_int(0,"SELECT count(*) FROM user WHERE cap GLOB '*[as]*'");
if( n==0 ){
@ <li><p>
@ No users have administrator privilege.
}else{
z = db_text(0,
"SELECT group_concat("
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),"
"', ')"
" FROM user"
" WHERE cap GLOB '*[as]*'"
);
@ <li><p>
@ Users with administrator privilege are: %s(z)
fossil_free(z);
if( n>3 ){
@ <p><b>Caution</b>:
@ Administrator privilege is granted to
@ <a href='setup_ulist?with=as'>%d(n) users</a>.
@ Ideally, administator privilege ('s' or 'a') should only
@ be granted to one or two users.
}
}
................................................................................
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),"
"' and ')"
" FROM user"
" WHERE cap GLOB '*y*'"
" AND login in ('anonymous','nobody','reader','developer')"
);
if( z && z[0] ){
@ <li><p>
@ The "Write-Unver" privilege is granted to an entire class of users
@ (%s(z)). Ideally, the Write-Unver privilege should only be
@ granted to specific individuals.
fossil_free(z);
}
n = db_int(0,"SELECT count(*) FROM user WHERE cap GLOB '*y*'");
if( n>0 ){
z = db_text(0,
"SELECT group_concat("
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),', ')"
" FROM user WHERE cap GLOB '*y*'"
);
@ <li><p>
@ Users with "Write-Unver" privilege: %s(z)
fossil_free(z);
if( n>3 ){
@ <p><b>Caution:</b>
@ The "Write-Unver" privilege ('y') is granted to an excessive
|
| < | > | > > > | | > | > | | | | | | | | < | |
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 ... 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 ... 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 ... 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 |
@ <ol>
/* Step 1: Determine if the repository is public or private. "Public"
** means that any anonymous user on the internet can access all content.
** "Private" repos require (non-anonymous) login to access all content,
** though some content may be accessible anonymously.
*/
zAnonCap = db_text("", "SELECT fullcap(NULL)");
zPubPages = db_get("public-pages",0);
if( hasAnyCap(zAnonCap,"as") ){
@ <li><p>This repository is <big><b>Wildly INSECURE</b></big> because
@ it grants administrator privileges to anonymous users. You
@ should <a href="takeitprivate">take this repository private</a>
@ immediately! Or, at least remove the Setup and Admin privileges
@ for users "anonymous" and "login" on the
................................................................................
** from tickets.
*/
if( hasAnyCap(zAnonCap, "e") ){
@ <li><p><b>WARNING:</b>
@ Anonymous users can view email addresses and other personally
@ identifiable information on tickets.
@ <p>Fix this by removing the "Email" privilege
@ (<a href="setup_ucap_list">capability "e"</a>) from users
@ "anonymous" and "nobody" on the
@ <a href="setup_ulist">User Configuration</a> page.
}
/* Anonymous users probably should not be allowed to push content
** to the repository.
*/
................................................................................
@ <a href="setup_ulist">User Configuration</a> page or
}
/* Administrative privilege should only be provided to
** specific individuals, not to entire classes of people.
** And not too many people should have administrator privilege.
*/
z = db_text(0,
"SELECT group_concat("
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),"
"' and ')"
" FROM user"
" WHERE cap GLOB '*[as]*'"
" AND login in ('anonymous','nobody','reader','developer')"
);
if( z && z[0] ){
@ <li><p><b>WARNING:</b>
@ Administrative privilege ('a' or 's')
@ is granted to an entire class of users: %s(z).
@ Administrative privilege should only be
@ granted to specific individuals.
}
n = db_int(0,"SELECT count(*) FROM user WHERE fullcap(cap) GLOB '*[as]*'");
if( n==0 ){
@ <li><p>
@ No users have administrator privilege.
}else{
z = db_text(0,
"SELECT group_concat("
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),"
"', ')"
" FROM user"
" WHERE fullcap(cap) GLOB '*[as]*'"
);
@ <li><p>
@ Users with administrator privilege are: %s(z)
fossil_free(z);
if( n>3 ){
@ <li><p><b>WARNING:</b>
@ Administrator privilege is granted to
@ <a href='setup_ulist?with=as'>%d(n) users</a>.
@ Ideally, administator privilege ('s' or 'a') should only
@ be granted to one or two users.
}
}
................................................................................
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),"
"' and ')"
" FROM user"
" WHERE cap GLOB '*y*'"
" AND login in ('anonymous','nobody','reader','developer')"
);
if( z && z[0] ){
@ <li><p><b>WARNING:</b>
@ The "Write-Unver" privilege is granted to an entire class of users: %s(z).
@ The Write-Unver privilege should only be granted to specific individuals.
fossil_free(z);
}
n = db_int(0,"SELECT count(*) FROM user WHERE cap GLOB '*y*'");
if( n>0 ){
z = db_text(0,
"SELECT group_concat("
"printf('<a href=''setup_uedit?id=%%d''>%%s</a>',uid,login),', ')"
" FROM user WHERE fullcap(cap) GLOB '*y*'"
);
@ <li><p>
@ Users with "Write-Unver" privilege: %s(z)
fossil_free(z);
if( n>3 ){
@ <p><b>Caution:</b>
@ The "Write-Unver" privilege ('y') is granted to an excessive
|
Changes to src/setup.c.
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
" UNION ALL"
" SELECT login AS uname, rcvfrom.mtime AS mtime"
" FROM rcvfrom JOIN user USING(uid))"
" GROUP BY 1;"
);
}
if( zWith && zWith[0] ){
zWith = mprintf(" AND cap GLOB '*[%q]*'", zWith);
}else{
zWith = "";
}
db_prepare(&s,
"SELECT uid, login, cap, info, date(mtime,'unixepoch'),"
" lower(login) AS sortkey, "
" CASE WHEN info LIKE '%%expires 20%%'"
|
| |
248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 |
" UNION ALL"
" SELECT login AS uname, rcvfrom.mtime AS mtime"
" FROM rcvfrom JOIN user USING(uid))"
" GROUP BY 1;"
);
}
if( zWith && zWith[0] ){
zWith = mprintf(" AND fullcap(cap) GLOB '*[%q]*'", zWith);
}else{
zWith = "";
}
db_prepare(&s,
"SELECT uid, login, cap, info, date(mtime,'unixepoch'),"
" lower(login) AS sortkey, "
" CASE WHEN info LIKE '%%expires 20%%'"
|