[pmwiki-users] error in .htpasswd - Auth

Patrick Ogay lists at basel-inside.ch
Wed Nov 16 14:36:37 CST 2005


I spent a lot of time testing authuser, and I often had strange results.
The last tests I made: I created a user called pmichaud pmichaud.

The user pmichaud can access to my webdav drive as expected (which uses 
the same .passwd, but *not* to pmwiki.
The user pmichaud can access pmwiki with the password of ogayp, ugh..
Strange too, only pogay can log in to pmwiki, more precise, any user can 
log in, with the password of pogay.

To me it look's like an error.
I'm wondering whether somebody uses htpasswd-feature at the moment.


regards
Patrick Ogay



----
I guess this must be the problem:
I created a user "pmichaud"  (with
action=setuser?&user=pmichaud&passwd=pmichaud)
the user is o.k. .htpasswd

pmichaud can login now, but with the first users password
It's even worse  that *anybody*  can login who knows this  password.
It's even more strange, because now  I have changed my user to the
second place, and still pmichaud can only login with this user....urgh...
(I don't like the idea to store the correct password here in the Group:-),

pw-file: (first attempt)
pogay:u6cLSILEk15aQ
vhcuser:NPtapYBNVvC02
vorstand:tWWn6kTmNE/6o
pmichaud:WLul3vR1PMYlQ

pw-file (second attempt)
pmwiki:5OV8XuG1lKdQU
pogay:u6cLSILEk15aQ
vhcuser:NPtapYBNVvC02
vorstand:tWWn6kTmNE/6o
pmichaud:WLul3vR1PMYlQ

http://212.103.64.226/blug/
farmconfig:------------------------------------------------------------------------------------------------
<?php
### Testoptions
  $TestLogFile = "$FarmD/user.d/pm.log";
### general
  $FarmPubDirUrl = 'http://212.103.64.226/pmwiki-2.0.10/pub';
  $WikiTitle = 'Blug Wiki';
  $EnablePathInfo = 1;        // nette URL

  $HTMLPNewline = '<br />';   // Verhalten des linebreaks, wie in Textarea
  $Skin = 'pmwiki-2mod';      // kleine Modifikation, des Balken links 
Site.GlobalSideBar Group.SideBar

### globale Modules
  require_once("$FarmD/scripts/authuser.php");     // userbasierende 
Authentifcation
  require_once("$FarmD/cookbook/guestbook.php");   // Gästebuch Formular
  require_once("$FarmD/cookbook/mailform.php");    // Mail-Formular an 
Webmaster
  require_once("$FarmD/cookbook/postitnotes.php");  // Fenster im Content
# require_once("$FarmD/local/.htpasswd");          // check, ob File 
vorhanden, ok.

/*

  if (@$_SESSION['authid'] && !$_COOKIE['author']) {
         $Author = $_SESSION['authid'];
         setcookie('author',$Author,0,'/');
  }
  if ($AuthId) {
         $Author = $AuthId;
         setcookie('author',$Author,0,'/');
  }
*/

$EnableUpload = 1;
#$UploadDir = "http://www.blug.ch/pmwiki-0.5.24/uploads";  /* alte URL */
#$UploadUrlFmt = "http://www.blug.ch/pmwiki-0.5.24/uploads";
$UploadDir = $HTTP_SERVER_VARS['DOCUMENT_ROOT']."/blug/uploads";  /* 
alte URL */
$UploadUrlFmt = "http://www.osrc.ch.vu/blug/uploads";
$DefaultPasswords['upload'] = crypt('blug');
$UploadMaxSize = 100000;
$UploadExtSize['pdf'] = 200000;

######  authuser 
####################################################################
# Das endgültige Security und Auth Konzept muss man sich noch überlegen
#  $DefaultPasswords['admin'] = "*";  /*admin action, wie Mutatuion der 
Gruppe site gesperrt */
    $DefaultPasswords['admin'] = '$1$W32gNGnz$qqRtTf.gwGj8KgFcrS9Ow/';


## Die $Authuser müssen vor dem Aufruf von authuser.php definiert sein, 
deswegem wir config.php von hier aufgerufen
## Define usernames and passwords.
##  funktioniert, wird dann z.T. in pw-file und lokal ausgelagert

#   $AuthUserHtPasswd     = "$FarmD/local/.htpasswd";
     $AuthUser['htpasswd'] = "/var/www/etc/.passwd";


###  pmwiki users
#    $AuthUser['pogay']    = '$1$W32gNGnz$qqRtTf.gwGj8KgFcrS9Ow/';
#    $Authuser['nic']      = '$1$W32gNGnz$qqRtTf.gwGj8KgFcrS9Ow/';
#    $Authuser['pat']      = '$1$W32gNGnz$qqRtTf.gwGj8KgFcrS9Ow/';
#    $AuthUser['pmwikif']  = '$1$yiQu4aL7$eQtLXJ5sJSuRQDUkHJrtK0';
#    $AuthUser['pmwiki2']  = crypt('pmwiki2');
#    $AuthUser['pmwiki3']  = '$1$W32gNGnz$qqRtTf.gwGj8KgFcrS9Ow/';

### apache users
#    $AuthUser['vhcusez']  = "$FarmD/local/.htpasswd";
#   $AuthUser['pogaz']    = "$FarmD/local/.htpasswd";
#    $AuthUser['vhcuser']  = "$FarmD/local/.htpasswd";
#    $AuthUser['bluguser'] = "$FarmD/local/.htpasswd";


     include_once('local/config.php');          # load per-field settings

     $DefaultPasswords['read']   = 'id:*'; /*alle die User haben */
#   $DefaultPasswords['read']   = 'id:pogay,nic';
     $DefaultPasswords['edit']   = 'id:pogay,nic';
     $DefaultPasswords['upload'] = 'id:pogay,nic';
     include_once("$FarmD/scripts/authuser.php");   /* User basierende 
Authenfification */

        /* Assign Logfile+ activate */

## Addons/User Actions
##adds action=setuser&user=user&passwd=passwd
## uses php "system" to execute a shellscript  in usr/local/bib
global $HandleActions;
SDV($HandleActions['setuser'], 'setUser');
function setUser($pagename) {
  echo "setuser".$_GET[user].$_GET[passwd];
  if ($_GET[user] && $_GET[passwd]){
    $cmd = "_htpasswd ".$_GET[user]." ".$_GET[passwd];
    echo "=$cmd=";
    system($cmd, $result);
    /* $return = `cmd`; */
    echo "result=$result/";
   }
  else { /* alles listen */
   system("_htpasswd",$result);
   echo "result=$result/";
   echo "Lines<br>\n";
   reset($lines);
   while(list($k, $v) = each($lines)):
     echo "k=$k v=$v<br>\n";
   endwhile;

  }

}

## Addition Functions mainly Test
## Testlog -------------------------------------------------------
## $TestLogFile = "$FarmD/user.d/pm.log";  aktivate Log, Dir writable!
function TestLog($output) {
      global $FarmD,$TestLogFile;
      if ($TestLogFile) {
     #$path = realpath("./"); --  working Dir
      if ($txtfp = fopen($TestLogFile,"a")) {
        fputs($txtfp,"$output \n");
        fclose($txtfp);
        }
      else
       Abort("Unable to open TestLog: $TestLogFile ");
      }
}

?>




More information about the pmwiki-users mailing list