Hello Boud, I think that the permissions of the files coming with the Debian Package are OK. So I modified the warning system which comed with the upstream version. You should no more be bothered by the problems related to the permissions of wims.conf since the revision 3.62-9 of the package.
Boud Roukema a écrit : > salut Georges et bugtracker, > > On Thu, 25 Oct 2007, Georges Khaznadar wrote: > >> Hello Boud, once again, I do not succeed in reproducing this bug. >> >> I shall try again next week, after my travel. >> >> Best regards, Georges. >> >> Boud Roukema a écrit : >>> salut, >>> >>> i'm not sure if this is related or independent - for the moment let's >>> assume it's >>> part of the same bug... >>> >>> >>> PROBLEM: It is very difficult in the wims documentation (of different >>> sorts!, except >>> possibly on the sympa mailing list archive which is probably not >>> catalogued >>> by google >>> because of the antispam button (?)) to find out how the sys admin should >>> carry out >>> basic admin tasks. i have failed in 3.62-8. In 3.58, the following hack >>> worked for me: >>> >>> (1) in ~wims/log/wims.conf put >>> >>> manager_site=<MY_IP_NUMBER> >>> >>> (2) in public_html/themes/default/supervisor.phtml put >>> >>> <br><small> >>> !href module=adm/manage $N_manage >>> </small><br> >>> >>> somewhere inside the <BODY> ... </BODY> >>> >>> (3) log in as teacher (supervisor) of a class, and then click on the >>> management button. >>> >>> >>> In my present installation of 3.62-8, this hack no longer works, >>> especially >>> since i can't get (3) to work for my old classes which i have copied >>> (including dot >>> files) into log/classes/ . Since i can imagine that some of the >>> parameters >>> and >>> structures might have changed from 3.58 to 3.62-8, i thought it best to >>> first >>> try creating a new class. But i cannot create a new class. So this is a >>> circular >>> loop: i cannot log in as supervisor in order to get administrator access, >>> and i cannot get administrator access in order to (maybe) fix up what's >>> preventing the >>> creation of new classes and me becoming a (new) supervisor. > > > The chmod's i did listed in my replies to Bug#447156 have enabled the > adm/manage function. > > So the problem was clearly to do with security protections. > > Now the function itself would require a hack in the source code + > recompilation to work fully. Why? > > The new problem: > >> WIMS site maintenance >> This tool allows site manager to maintain this >> WIMS installation online. Its access is strictly controled by >> definitions in the configuration file log/wims.conf. >> Attention!!! The file log/wims.conf is world readable! >> There is a serious risk that your site manager setup and/or password >> have leaked. Now you MUST change the file attribute of log/wims.conf >> by making them readable only by the owner, and make more secure >> definitions in it whenever possible. >> Once you have done this, try this page again. > > > In fact, the log/wims.conf is *not* world readable, but it *is* group > readable, meaning that the apache user www-data has access to it. > > > If i do chmod g-rw log/wims.conf and i reload the page, i then get: > >> WIMS site maintenance >> >> Sorry but you are not recognized as manager of this site. You don't >> have right to access this module. > > > For me personally this is not a big problem in the short term, since i'm > happy to do things from the command line, but for sysadmins who like > web-based "sysadmin", it's probably still a bug. > > bon courage > boud -- Georges KHAZNADAR et Jocelyne FOURNIER 22 rue des mouettes, 59240 Dunkerque France. Téléphone +33 (0)3 28 29 17 70
signature.asc
Description: Digital signature
