On Thu, Apr 07, 2005 at 05:39:26PM +0200, Paul Slootman wrote:
[sorry for loooong delay, msg slipped up above *00 msgs in mutt thread
view and must have overlooked it]
...
> Well, it only happens in a very specific configuration that I guess most
> people will never think of, so I'd hesitate to raise the severity beyond
> important right now. Nevertheless I'll try to find a fix ASAP.
hmm, ok, provided the quirk is duely documented.
>
> > [2.8e-1 on Sarge, on same host as wwwoffled ]
> > # wwwoffle -status -p 192.168.0.13:5866
> > [no answer, rc=0]
> >
> > [2.7a on Woody, on same host as wwwoffled ]
> > # wwwoffle -status -p 192.168.0.13:5866
> > WWWOFFLE Incorrect Password
> >
> > I think the old behaviour is better.
well, now (2.8e-2) from a remote host, I get:
~# wwwoffle -status -p pmab:5867
Can't read from control port (is this host allowed?)
pmab has
StartUp
{
bind-ipv4 = 192.168.0.53
http-port = 8080
wwwoffle-port = 5867
...
and I've changed pwd since starting the server. On pmab I get
~# wwwoffle -status -c /etc/wwwoffle/wwwoffle.conf
WWWOFFLE Incorrect Password
hmm... ok, that's because I've put
AllowedConnectHosts
{
192.168.0.0/24
}
which wwwoffle seems to not understand (or take as a fancy hostname).
Then putting 192.168.0.* I get on remote same 'Incorrect Password' answer.
> > # wwwoffle -status -c /etc/wwwoffle/wwwoffle.conf -p 192.168.0.13:5866
> > wwwoffle: The '-p' and '-c' options cannot be used together.
>
> Hmm, this looks like a bug that was introduced when making it the
> default to read the conf file as standard... I'll look into this today.
this is not resolved yet: if I change pwd in the .conf, I'm still closing
the door with the key on the other side - no way to run wwwoffle -config.
> > Note that's perfectly reasonable to _not_ bind to 127.0.0.1.
>
> Agreed.
yep, this seems solved. Init script does what's expected in any case.
> > I don't see any solution at script level. wwwoffle should just be able
> > to do the right thing when given the -c file, though I'd rather have the
> > -pwd option, as that's more fexible.
>
> -pwd means that anyone on the system can read the password... Unless you
> mean that it should interactively ask the password from the terminal?
well, many programs offer the possibility to pass the pwd on stdin, on
cmd line, interactively or from file. From terminal would be ok for
local/remote interactive session, but the other options would be needed
for scripting; yes -pwd on cmd line would normally expose the key, but see
what eg smbmount does, if you put --password=key you won't see the key on
ps ax. A pwd file is handy, perhaps searched in a default location, eg
~/.wwwoffle/passwd like vnc etc., before switching uid.
Anyway the main point here is to break the guaranteed deadlock you have
since
1) -c / -p aren't allowed together
2) cannot specify pwd other than in .conf
3) .conf data are not overridden by cmd line opts.
I think ripping out the pwd from the config would be better, like is done
in rsync etc. as it avoids the chicken-egg dilemma on -config.
> > Set a password (pseudo-diff)
>
> I'm assuming this is on the server itself?
>
> > #----wwwoffle.conf---
> > - password =
> > + password = secret
> > #--------------------
yes
> >
> > [from either remote (allowed) host or localhost]
> > # wwwoffle -config -p 192.168.0.13:5866
> > WWWOFFLE Reading Configuration File.
> > WWWOFFLE Read Configuration File.
>
> Doing this from a remote host means there's also a local wwwoffle.conf,
> right? I assume that you have put the right password in there :-)
not needed, that's the point. When pwd is unset remote can do
wwwoffle <cmd> -p host:port
But that works _even after_ pwd is set/changed on server and -config is
issued and apparently acknowledged.
There's an asymmetry on server, in that -p works while -c doesn't, so in
latter case new/set pwd is used while in 1st case it isn't.
At present, it should at least be clearly stated in the docs that
control access credentials are _not_ changed by -config. Actually, at
present once set they _cannot_ be changed at all and kill/start cycle is
mandatory.
Finally note a funny situation:
on server set
StartUp
{
bind-ipv4 = 192.168.0.53
http-port = 8080
wwwoffle-port = 5867
password = secret
}
restart wwwoffled.
On remote do
echo '
StartUp
{
bind-ipv4 = 192.168.0.53
http-port = 8080
wwwoffle-port = 5867
password = secret
} ' > ~/.wwwoffle
now on server:
~# wwwoffle -config -p pmab:5867
WWWOFFLE Incorrect Password
~# wwwoffle -config -c /etc/wwwoffle/wwwoffle.conf
WWWOFFLE Reading Configuration File.
WWWOFFLE Read Configuration File.
on remote:
~# wwwoffle -config -p pmab:5867
WWWOFFLE Incorrect Password
~# wwwoffle -config -c ~/.wwwoffle
WWWOFFLE Reading Configuration File.
WWWOFFLE Read Configuration File.
Ok, change server pwd in .conf:
...
#----wwwoffle.conf---
- password = secret
+ password = nosecret
#--------------------
now on server:
~# wwwoffle -config -c /etc/wwwoffle/wwwoffle.conf
WWWOFFLE Incorrect Password
pmab:~# wwwoffle -config -p pmab:5867
WWWOFFLE Incorrect Password
ie locked out; on remote instead, of course:
~# wwwoffle -config -c ~/.wwwoffle
WWWOFFLE Reading Configuration File.
WWWOFFLE Read Configuration File.
--
paolo
GPG/PGP id:0x21426690 kfp:EDFB 0103 A8D8 4180 8AB5 D59E 9771 0F28 2142 6690
"Indeed, it does come with warranty: it *will* fail, sometimes, somehow..."
- software vendor
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
