salut Georges et bugtracker,
On Thu, 25 Oct 2007, Georges Khaznadar wrote:
Hello Boud, once again, I do not succeed in reproducing this bug.
I shall try again next week, after my travel.
Best regards, Georges.
Boud Roukema a écrit :
salut,
i'm not sure if this is related or independent - for the moment let's
assume it's
part of the same bug...
PROBLEM: It is very difficult in the wims documentation (of different
sorts!, except
possibly on the sympa mailing list archive which is probably not catalogued
by google
because of the antispam button (?)) to find out how the sys admin should
carry out
basic admin tasks. i have failed in 3.62-8. In 3.58, the following hack
worked for me:
(1) in ~wims/log/wims.conf put
manager_site=<MY_IP_NUMBER>
(2) in public_html/themes/default/supervisor.phtml put
<br><small>
!href module=adm/manage $N_manage
</small><br>
somewhere inside the <BODY> ... </BODY>
(3) log in as teacher (supervisor) of a class, and then click on the
management button.
In my present installation of 3.62-8, this hack no longer works, especially
since i can't get (3) to work for my old classes which i have copied
(including dot
files) into log/classes/ . Since i can imagine that some of the parameters
and
structures might have changed from 3.58 to 3.62-8, i thought it best to
first
try creating a new class. But i cannot create a new class. So this is a
circular
loop: i cannot log in as supervisor in order to get administrator access,
and i cannot get administrator access in order to (maybe) fix up what's
preventing the
creation of new classes and me becoming a (new) supervisor.
The chmod's i did listed in my replies to Bug#447156 have enabled the
adm/manage function.
So the problem was clearly to do with security protections.
Now the function itself would require a hack in the source code +
recompilation to work fully. Why?
The new problem:
WIMS site maintenance
This tool allows site manager to maintain this
WIMS installation online. Its access is strictly controled by
definitions in the configuration file log/wims.conf.
Attention!!! The file log/wims.conf is world readable!
There is a serious risk that your site manager setup and/or password
have leaked. Now you MUST change the file attribute of log/wims.conf
by making them readable only by the owner, and make more secure
definitions in it whenever possible.
Once you have done this, try this page again.
In fact, the log/wims.conf is *not* world readable, but it *is* group
readable, meaning that the apache user www-data has access to it.
If i do chmod g-rw log/wims.conf and i reload the page, i then get:
WIMS site maintenance
Sorry but you are not recognized as manager of this site. You don't
have right to access this module.
For me personally this is not a big problem in the short term, since i'm
happy to do things from the command line, but for sysadmins who like
web-based "sysadmin", it's probably still a bug.
bon courage
boud
