I finally got some time today to play with the new version and find out
what's wrong, and fix it. I blame me, since I implemented checkauth in the
first place, and I guess the new authentication directives broke it. I swear
I had it working in my crazy-quilt patched mon server, but I guess I didn't
submit the right diffs to Jim.
The fix is basically to not be dumb about checkauth'ing and to use the
check_auth() function to do auth checking like it was made to do.
This patch also fixes a couple of other really minor bugs, like using >>
instead of > with monerrfile so it doesn't get truncated on server restart.
andrew
On Wednesday 05 September 2001 10:28 am, Jim Trocki wrote:
> On Wed, 5 Sep 2001, Andrew Ryan wrote:
> > Has anyone else running 0.99.1 seen this bug?
>
> i just installed mon.cgi-1.52 last night and i get this:
>
> MON: Operation Status: Summary View
>
> > Cannot connect to the mon server. Check the mon process to see if it
> > is running.
> >
> > Could not get server time on mon server "localhost": 520 command could
> > not be executed (perhaps you don't have permissions in auth.cf?) Could
> > not get server time on mon server "localhost": 520 command could not be
> > executed (perhaps you don't have permissions in auth.cf?)
>
> in auth.cf i have "servertime: all"
>
> in /var/log/messages i see:
>
> Sep 5 10:13:48 xxxx mon[5333]: client command "servertime"
> Sep 5 10:13:48 xxxx mon[5333]: user '' tried 'servertime', not
> authenticated
>
> in mon.cgi i have
>
> %loginhash = ("username","read", "password","read");
>
> and there is an entry in monusers.cf for that account, and it works:
> : dp ~$; telnet xxxx mon
>
> [...]
> login read read
> 220 login accepted
>
> however when i do "servertime" it gives me
>
> servertime
> 520 command could not be executed
>
> even though
>
> servertime: all
>
> so there is definitely more to investigate.
*** mon.orig Sat Aug 18 12:37:53 2001
--- mon Fri Sep 7 15:36:54 2001
***************
*** 892,897 ****
--- 892,901 ----
} elsif ($1 eq "authfile") {
$new_CF{"AUTHFILE"} = $2;
+ if (! -r $new_CF{"AUTHFILE"}) {
+ close (CFG);
+ return "cf error: authfile '$2' does not exist or is not
+readable, line $line_num";
+ }
} elsif ($1 eq "authtype") {
$new_CF{"AUTHTYPE"} = $2;
***************
*** 911,916 ****
--- 915,924 ----
} elsif ($1 eq "userfile") {
$new_CF{"USERFILE"} = $2;
+ if (! -r $new_CF{"USERFILE"}) {
+ close (CFG);
+ return "cf error: userfile '$2' does not exist or is not
+readable, line $line_num";
+ }
} elsif ($1 eq "ocfile") {
$new_CF{"OCFILE"} = $2;
***************
*** 2537,2553 ****
split(' ',$args);
$cmd = $_[0];
$user = $clients{$cl}->{"user"};
! # We use our own special function here to avoid the syslogging of
! # check_auth. Probably better to add another parameter to
! # check_auth to make the syslogging optional and always use
! # check_auth instead.
! if ( (defined ($clients{$cl}->{"user"})) && (! $NOAUTHCMDS{$cmd}{$user}) &&
! (
! ($AUTHCMDS{$cmd}{"all"}) ||
! ( (defined ($clients{$cl}->{"user"})) && ($AUTHCMDS{$cmd}{"AUTH_ANY"}) )
||
! ( (defined ($clients{$cl}->{"user"})) && ($AUTHCMDS{$cmd}{$user}) )
! )
! )
{
sock_write ($fh, "220 command authorized\n");
}
--- 2545,2552 ----
split(' ',$args);
$cmd = $_[0];
$user = $clients{$cl}->{"user"};
! # Note that we call check_auth without syslogging here.
! if (check_auth($clients{$cl}->{"user"}, $cmd, 1))
{
sock_write ($fh, "220 command authorized\n");
}
***************
*** 2717,2723 ****
chdir ('/');
umask (022);
! if (!open (N, "+>" . $CF{"MONERRFILE"}))
{
syslog ("err", "could not open error output file $CF{'MONERRFILE'}: %m");
exit (1);
--- 2716,2722 ----
chdir ('/');
umask (022);
! if (!open (N, "+>>" . $CF{"MONERRFILE"}))
{
syslog ("err", "could not open error output file $CF{'MONERRFILE'}: %m");
exit (1);
***************
*** 2726,2732 ****
if (!open(STDOUT, ">&N") ||
!open (STDIN, "<&N") ||
!open (STDERR, ">&N")) {
! syslog ("err", "could not redirect: %m");
exit(1);
}
syslog ('info', "running as daemon");
--- 2725,2731 ----
if (!open(STDOUT, ">&N") ||
!open (STDIN, "<&N") ||
!open (STDERR, ">&N")) {
! syslog ("err", "could not redirect: %m");
exit(1);
}
syslog ('info', "running as daemon");
***************
*** 3511,3523 ****
#
# return undef if $user isn't permitted to perform $cmd
#
sub check_auth {
! my ($user, $cmd) = @_;
# Check to see if the authenticated user is specifically
# denied the ability to run this command.
! if (defined ($user) && $NOAUTHCMDS{$cmd}{$user}) {
syslog ("err", "user '$user' tried '$cmd', denied");
return undef;
}
--- 3510,3533 ----
#
# return undef if $user isn't permitted to perform $cmd
+ # Optional third argument controls logging to syslog.
+ # e.g.,
+ # check_auth("joe", "disable")
+ # will check to see if user joe is authorized to disable, and
+ # complain to syslog if joe is not authorized
+ # check_auth("joe", "disable", 1)
+ # will check to see if user joe is authorized to disable but
+ # NOT complain to syslog if joe is not authorized
#
sub check_auth {
! my ($user, $cmd, $no_syslog) = @_;
# Check to see if the authenticated user is specifically
# denied the ability to run this command.
! if (
! (defined ($user) && $NOAUTHCMDS{$cmd}{$user}) ||
! (defined ($user) && $NOAUTHCMDS{$cmd}{"AUTH_ANY"})
! ){
syslog ("err", "user '$user' tried '$cmd', denied");
return undef;
}
***************
*** 3533,3539 ****
# Check to see if the authenticated user is specifically
#allowed the ability to run this command.
return 1 if (defined ($user) && $AUTHCMDS{$cmd}{$user});
! syslog ("err", "user '$user' tried '$cmd', not authenticated");
return undef;
}
--- 3543,3549 ----
# Check to see if the authenticated user is specifically
#allowed the ability to run this command.
return 1 if (defined ($user) && $AUTHCMDS{$cmd}{$user});
! syslog ("err", "user '$user' tried '$cmd', not authenticated") unless
defined($no_syslog);
return undef;
}
***************
*** 4263,4268 ****
--- 4273,4279 ----
userfile [$CF{USERFILE}]
dtlogfile [$CF{DTLOGFILE}]
historicfile[$CF{HISTORICFILE}]
+ monerrfile [$CF{MONERRFILE}]
scriptdir [$CF{SCRIPTDIR}]
alertdir [$CF{ALERTDIR}]
EOF
