On Sat 05 Mar 2005, Paolo wrote: > > this is somewhat different though closely releated to the config/control > deadlock reported previously (I guess). > And, well, I'd rise the rank of this bug to 'grave', as it breaks pkg > functionality, and may open security issues: no way to control wwwoffled > anymore:
Well, it only happens in a very specific configuration that I guess most people will never think of, so I'd hesitate to raise the severity beyond important right now. Nevertheless I'll try to find a fix ASAP. > [2.8e-1 on Sarge, on same host as wwwoffled ] > # wwwoffle -status -p 192.168.0.13:5866 > [no answer, rc=0] > > [2.7a on Woody, on same host as wwwoffled ] > # wwwoffle -status -p 192.168.0.13:5866 > WWWOFFLE Incorrect Password > > I think the old behaviour is better. > > # wwwoffle -status -c /etc/wwwoffle/wwwoffle.conf > wwwoffle[32337] Warning: Failed to connect socket to 'localhost' port '5866' > [Connection refused]. > wwwoffle[32337] Fatal: Cannot open connection to wwwoffle server localhost > port 5866. > > # wwwoffle -status -c /etc/wwwoffle/wwwoffle.conf -p 192.168.0.13:5866 > wwwoffle: The '-p' and '-c' options cannot be used together. Hmm, this looks like a bug that was introduced when making it the default to read the conf file as standard... I'll look into this today. > Note that's perfectly reasonable to _not_ bind to 127.0.0.1. Agreed. > I don't see any solution at script level. wwwoffle should just be able > to do the right thing when given the -c file, though I'd rather have the > -pwd option, as that's more fexible. -pwd means that anyone on the system can read the password... Unless you mean that it should interactively ask the password from the terminal? > Now the SECURITY issues. > > start with > #----wwwoffle.conf--- > bind-ipv4 = 0.0.0.0 > http-port = 5865 > wwwoffle-port = 5866 > password = > #-------------------- > > [from remote (allowed) host] > # wwwoffle -status -p 192.168.0.13:5866 > WWWOFFLE Server Status > ---------------------- > Version : 2.8e > State : offline > Fetch : inactive > Purge : inactive > Last-Online : unknown > Last-Offline : unknown > Total-Servers: 0 > Fetch-Servers: 0 > > Set a password (pseudo-diff) I'm assuming this is on the server itself? > #----wwwoffle.conf--- > - password = > + password = secret > #-------------------- > > [from either remote (allowed) host or localhost] > # wwwoffle -config -p 192.168.0.13:5866 > WWWOFFLE Reading Configuration File. > WWWOFFLE Read Configuration File. Doing this from a remote host means there's also a local wwwoffle.conf, right? I assume that you have put the right password in there :-) > [from either remote (allowed) host or localhost] > # wwwoffle -config -p 192.168.0.13:5866 > WWWOFFLE Reading Configuration File. > WWWOFFLE Read Configuration File. > > well, that shouldn't happen as the new config set a pwd; I'm faked into > thinking I've set a pwd but actually wwwoffled did not reload the config. > I need to go restart the init.d script; but if I started with binding to > other than 0.0.0.0 that wouldn't work either, as wwwoffle won't be able > to contact wwwoffled and -kill it, I need to killall wwwoffled, then > start the init.d script. I hope to fix this today. Paul Slootman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
