|[ < ]||[ > ]||[ << ]||[ Up ]||[ >> ]||[Top]||[Contents]||[Index]||[ ? ]|
GNATS supports granting various levels of access to the GNATS databases served by the network daemon, GNATSD.
GNATS access can be controlled at these levels:
deny - gnatsd closes the connection none - no further access until userid and password given view - query and view PRs with Confidential=no only viewconf - query and view PRs with Confidential=yes edit - full edit access admin - full admin access (not currently used)
There are three main features:
- security by obscurity, defined in the next paragraph - access level set by host name or IP address - access level set by userid and password
gnatsd has parameters
--require-db. If so
executed, nobody gets in unless they are able to ask for a database by
alias name with the
CHDB (change database) command. If you
specify an incorrect database alias the connection is closed. Only the
CHDB command is allowed, and you just get one try.
The second field of the `gnats-adm/gnatsd.conf' file is the access
level for the user's host. The default is
edit to be compatible
with previous releases of
gnats. If the user's hostname isn't in
the `gnatsd.conf' file or its access level is
connection is closed immediately.
CHDB command is processed (or defaulted), the user's
access level is set to the level for their host.
Even if a host is given the
none access, an individual can still
USER command to possibly gain a higher (but never lower)
access than is set for their host. The gnatsd
USER command takes
USER <userid> <passwd>.
An optional file `gnats-adm/gnatsd.access' specifies the user access rules. If it doesn't exist, or doesn't contain the user name given to gnatsd, then `/etc/gnatsd.access' is also checked. This filename is set in `config.c' at compile time.
If the access level is
none after processing the userid and
password, the connection is closed.
The `gnatsd.access' file is clear text, but it is installed to be owned by the GNATS user with file permission 600.
Wildcard characters are supported for the userid and password. A null string or "*" matches anything; "?" matches any one character.
A `gnatsd.access' file might look like this:
# field 1: user # field 2: passwd # field 3: access (valid entries: deny, none, view, viewconf, edit, admin) # field 4: database (/etc/gnatsd.access only; ignored in gnatsd-adm) rickm:ruckm:edit:* pablo:pueblo:view:* *:*:none
In this example, anybody other than rickm and pablo get denied access,
assuming that the host access level is also
none. You could set
the catch-all rule at the end to be
*:*:view to allow view access
The fourth field is a comma-separated list of database aliases to match alias entries from the second field of the database file `/etc/gnats-db.conf'. Wildcard characters are supported. This field is only used in `/etc/gnatsd.access'. It's ignored in `gnatsd-adm/gnatsd.access' since this file is already database specific.
gnatsd command has a minimum access level attached to
it. If your access level is too low for a command, you get this
LOCK 12 rickm 520 You are not authorized to perform this operation (LOCK).
These commands, along with all of the query constraint setting
SYNP, etc) are unrestricted:
A user must have at least
edit access for these commands:
LKDB lock the main GNATS database UNDB unlock the main GNATS database LOCK <PR> <user> <pid> lock <PR> for <user> and optional <pid> and return PR text UNLK <PR> unlock <PR> EDIT <PR> check in edited <PR>
All other commands require
DBLA commands (list databases and aliases)
view access but still only list databases to which the
user's host has at least
none access. A user might have
view access on one database and be able to list the other
database names, but upon executing
CHDB find that they have
none access to the second database and not be able to execute
anything other than another
all have the command line args
gnatsd only accepts database alias names for
-d|--directory arg from these commands (not full database
pathnames). Local clients (
mkcat, etc) accept
|[ << ]||[ >> ]||[Top]||[Contents]||[Index]||[ ? ]|