C.4 Access levels per user

Access levels per user can be set both across all databases on the server or on a per-database basis. The ‘gnatsd.user_access’ file in a database’s ‘gnats-adm’ directory specifies the user access rules for that database. If it doesn’t exist, or doesn’t contain the user name given to gnatsd, then the overall user access file (by default ‘/usr/local/etc/gnats/gnatsd.user_access’) specifying the per-user access levels across all the databases on the server is checked.

The user access files can only increase the access level defined in the host access files for the given host, they can never lower it.

If the access level is none after processing the userid and password, the connection is closed.

The ‘gnatsd.user_access’ files can contain plain text passwords, in such a case they should be owned by the GNATS user with file permission 600.

Wildcard characters are supported for the userid and password with plain text passwords. A null string or ‘*’ matches anything; ‘?’ matches any one character. Note that when GNATS authenticates users, it reads the entries in this file in sequence until a match is found. This means that wildcard entries must be placed near the end of the file, otherwise, they will override non-wildcard entries appearing after the wildcard ones.

Entries in the database-specific ‘gnatsd.user_access’ user access file in the ‘gnats-adm’ directory of the database have the following general format:

userid:password:access-level

The overall ‘gnatsd.user_access’ user access file adds a fourth databases field:

userid:password:access-level:databases

password should either be in plain text, DES crypt()(4) or MD5 hash format(5).

If the password is in plain text format, it must be prefixed by ‘$0$’ and if it is in MD5 format, it needs to be prefixed by the string ‘$1$’.(6) Passwords encrypted by crypt() should have no prefix. If no password is given then users can login with an empty password string.

A gnats-passwd tool to manage ‘gnatsd.user_access’ files is planned. In the meantime, crypt() passwords can be generated by using standard UNIX passwords tools, while MD5 passwords can be generated with the following little Perl snippet:

perl -e 'use Crypt::PasswdMD5 ; print Crypt::PasswdMD5::unix_md5_crypt
"password" , time() % 100000000'

If your Perl installation doesn’t have the Crypt module installed, you need to install it. On most systems, the following command achieves this:

perl -MCPAN -e 'install Crypt::PasswdMD5'

A tool for conversion of pre-version 4 ‘gnatsd.user_access’ files is distributed with GNATS 4. See section Converting old password files.

The access-level field should contain one of the values listed at the beginning of this appendix. This overrides (increases but never lowers) the access level given as the default for the user’s host in the global gnatsd.host_access file.

The following shows an example ‘gnatsd.user_access’ file with plain text passwords:

rickm:$0$ruckm:edit
pablo:$0$pueblo:view
*::none

And this is the same file with MD5-encrypted passwords:

rickm:$1$92388613$D7ZIYikzTUqd./dODTFrI.:edit
pablo:$1$92388652$QRfAhIBG5elT.FQjQKhj80:view
*::none

In these examples, anybody other than rickm and pablo get denied access, assuming that the host access level is also none. You could set the catch-all rule at the end to be *::view to allow view access to anyone who does not supply a password. Note the important detail that such a rule would allow view access only to persons who do not supply a password at all, i.e. if rickm or pablo tries to log in but mistypes his password, this rule would not apply and they would be denied access entirely. This is by design, since people might be surprised if they suddenly found themselves logged in, but with a lower access level than they usually have.

The databases field contains a comma-separated list of database names, as defined in the ‘databases’ file (see section The databases file. Wildcard characters are supported. The databases listed in this field are the ones to which the other settings on the same line will be applied.

This document was generated by Chad Walstrom on March 3, 2015 using texi2html 1.82.