Don't allow inactive accounts to authenticate using basic auth - infrastructure - Fedora mailing-lists

List overview All Threads
Download

Don't allow inactive accounts to authenticate using basic auth

Memory issue

Wordpress?

Jon Stanley

21 Mar 2009 21 Mar '09

3:59 p.m.

Inactive accounts could authenticate to sites using mod_auth_pgsql.

Pretty sure all of these apps are not under freeze, but rather be safe. Some +1's?

Reply

Show replies by date

Jon Stanley

21 Mar 21 Mar

3:59 p.m.

New subject: [Change Request] make sure inactive accounts can't auth to trac

--- configs/web/applications/hosted.conf.erb | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/configs/web/applications/hosted.conf.erb b/configs/web/applications/hosted.conf.erb index e2a532e..5a5b78c 100644 --- a/configs/web/applications/hosted.conf.erb +++ b/configs/web/applications/hosted.conf.erb @@ -15,6 +15,7 @@ Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'"

Require valid-user </LocationMatch> @@ -32,6 +33,7 @@ Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'"

Auth_PG_grp_table user_group Auth_PG_grp_user_field username

-- 1.5.5.6

Reply

Jon Stanley

3:59 p.m.

New subject: [Change Request] Make sure inactive accounts can't auth to other webapps

--- configs/system/nagios-http.conf.erb | 1 + configs/web/balancer.conf.erb | 1 + configs/web/cacti-secure.conf.erb | 1 + configs/web/exclude.conf.erb | 1 + 4 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/configs/system/nagios-http.conf.erb b/configs/system/nagios-http.conf.erb index e845f48..4c04ccc 100644 --- a/configs/system/nagios-http.conf.erb +++ b/configs/system/nagios-http.conf.erb @@ -14,6 +14,7 @@ ScriptAlias /tac.cgi /usr/lib64/nagios/cgi-bin/tac.cgi Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'"

require valid-user </Location> diff --git a/configs/web/balancer.conf.erb b/configs/web/balancer.conf.erb index eae1fb4..81212db 100644 --- a/configs/web/balancer.conf.erb +++ b/configs/web/balancer.conf.erb @@ -16,6 +16,7 @@ RewriteRule ^/balancer.* /balancer$1 [L] Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'" Auth_PG_grp_table user_group Auth_PG_grp_user_field username Auth_PG_grp_group_field groupname diff --git a/configs/web/cacti-secure.conf.erb b/configs/web/cacti-secure.conf.erb index f5b909c..3178fb2 100644 --- a/configs/web/cacti-secure.conf.erb +++ b/configs/web/cacti-secure.conf.erb @@ -10,6 +10,7 @@ Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'"

require valid-user

diff --git a/configs/web/exclude.conf.erb b/configs/web/exclude.conf.erb index fd87430..d98dd37 100644 --- a/configs/web/exclude.conf.erb +++ b/configs/web/exclude.conf.erb @@ -19,6 +19,7 @@ Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'" require valid-user Order deny,allow deny from all

-- 1.5.5.6

Reply

Ricky Zhou

4:20 p.m.

On 2009-03-21 08:59:24 PM, Jon Stanley wrote:

Inactive accounts could authenticate to sites using mod_auth_pgsql.

Pretty sure all of these apps are not under freeze, but rather be safe. Some +1's?

We tested this out on hosted1 with active and inactive accounts, so: +1

Thanks, Ricky

Reply

Jon Stanley

4:40 p.m.

Oops, there's one more:

diff --git a/modules/prelude/templates/prewikka-httpd.conf b/modules/prelude/templates/prewikka-httpd.conf index 3cabd5b..9486d2e 100644 --- a/modules/prelude/templates/prewikka-httpd.conf +++ b/modules/prelude/templates/prewikka-httpd.conf @@ -14,6 +14,7 @@ ScriptAlias /prewikka /usr/share/prewikka/cgi-bin/prewikka.cgi Auth_PG_pwd_table people Auth_PG_uid_field username Auth_PG_pwd_field password + Auth_PG_whereclause " and status='active'" Auth_PG_grp_table user_group Auth_PG_grp_user_field username Auth_PG_grp_group_field groupname

2009/3/21 Ricky Zhou ricky@fedoraproject.org:

On 2009-03-21 08:59:24 PM, Jon Stanley wrote:

...
Inactive accounts could authenticate to sites using mod_auth_pgsql.

Pretty sure all of these apps are not under freeze, but rather be safe. Some +1's?

We tested this out on hosted1 with active and inactive accounts, so: +1

Thanks, Ricky

Fedora-infrastructure-list mailing list Fedora-infrastructure-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list

Reply

Mike McGrath

8:59 p.m.

On Sat, 21 Mar 2009, Ricky Zhou wrote:

On 2009-03-21 08:59:24 PM, Jon Stanley wrote:

...
Inactive accounts could authenticate to sites using mod_auth_pgsql.

Pretty sure all of these apps are not under freeze, but rather be safe. Some +1's?

We tested this out on hosted1 with active and inactive accounts, so: +1

+1

-Mike

Reply

Toshio Kuratomi

22 Mar 22 Mar

12:41 a.m.

Jon Stanley wrote:

Inactive accounts could authenticate to sites using mod_auth_pgsql.

Pretty sure all of these apps are not under freeze, but rather be safe. Some +1's?

+1

-Toshio

Reply

5520

Age (days ago)

5521

Last active (days ago)

infrastructure@lists.fedoraproject.org

6 comments

4 participants

tags (0)

participants (4)

Jon Stanley
Mike McGrath
Ricky Zhou
Toshio Kuratomi