Fossil

Check-in [752365e7]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improved wording on some of the security-audit warnings.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256:752365e71f515638f3f9509941683734a84c489f141bd24841248061ab01eb5c
User & Date: drh 2017-07-01 00:52:13
Context
2017-07-01
03:08
Typo fix in documentation. check-in: 38f37679 user: drh tags: trunk
00:52
Improved wording on some of the security-audit warnings. check-in: 752365e7 user: drh tags: trunk
00:51
More security-audit checks. check-in: 4253b1de user: drh tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/security_audit.c.

193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
  ** specific individuals, not to entire classes of people.
  */
  z = db_text(0, "SELECT group_concat(login,' AND ') FROM user"
                 " WHERE cap GLOB '*y*'"
                 "   AND login in ('anonymous','nobody','reader','developer')");
  if( z && z[0] ){
    @ <li><p>
    @ The "Write-Unver" privilege is granted to an entire of users
    @ (%h(z)).  Ideally, the Write-Unver privilege should only be
    @ granted to specific individuals, each of whom are highly trusted.
  }

  /* Check to see if push-unversioned is granted to many people.
  */
  n = db_int(0,"SELECT count(*) FROM user WHERE cap GLOB '*y*'");
  if( n>3 ){
    @ <li><p>
    @ The "Write-Unver" privilege is granted to a large number of
    @ users (%d(n)).  Ideally, the Write-Unver privilege should only
    @ be granted to one or two specific individuals.
  }

  /* Notify if REMOTE_USER or HTTP_AUTHENTICATION is used for login.
  */
  if( db_get_boolean("remote_user_ok", 0) ){
    @ <li><p>
    @ This repository trusts that the REMOTE_USER environment variable set







|

|







|
|
|







193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
  ** specific individuals, not to entire classes of people.
  */
  z = db_text(0, "SELECT group_concat(login,' AND ') FROM user"
                 " WHERE cap GLOB '*y*'"
                 "   AND login in ('anonymous','nobody','reader','developer')");
  if( z && z[0] ){
    @ <li><p>
    @ The "Write-Unver" privilege is granted to an entire class of users
    @ (%h(z)).  Ideally, the Write-Unver privilege should only be
    @ granted to specific individuals.
  }

  /* Check to see if push-unversioned is granted to many people.
  */
  n = db_int(0,"SELECT count(*) FROM user WHERE cap GLOB '*y*'");
  if( n>3 ){
    @ <li><p>
    @ The "Write-Unver" privilege is granted to %d(n) users.
    @ Ideally, the Write-Unver privilege should only
    @ be granted to one or two users.
  }

  /* Notify if REMOTE_USER or HTTP_AUTHENTICATION is used for login.
  */
  if( db_get_boolean("remote_user_ok", 0) ){
    @ <li><p>
    @ This repository trusts that the REMOTE_USER environment variable set