Node:gnatsd.user_access, Next:Privileged gnatsd commands, Previous:gnatsd.host_access, Up:Access Control
Access levels per user can be set both across all databases on the
server or on a per-database basis. The gnatsd.user_access
file
in a database's gnats-adm
directory specifies the user access
rules for that database. If it doesn't exist, or doesn't contain the
user name given to gnatsd
, then the overall user access file
(by default /usr/local/etc/gnats/gnatsd.user_access
)
specifying the per-user access levels across all the databases on the
server is checked.
The user access files can only increase the access level defined in the host access files for the given host, they can never lower it.
If the access level is none
after processing the userid and
password, the connection is closed.
The gnatsd.user_access
files can contain plain text passwords, in
such a case they should be owned by the GNATS user with file
permission 600.
Wildcard characters are supported for the userid and password with
plain text passwords. A null string or *
matches anything;
?
matches any one character.
Entries in the database-specific gnatsd.user_access
user access file
in the gnats-adm
directory of the database have the following
general format:
userid:password:access-level
The overall gnatsd.user_access
user access file adds a fourth
databases field:
userid:password:access-level:databases
password should either be in plain text, DES
crypt()
1 or MD5 hash format2.
If the password is in plain text format, it must be prefixed by
$0$
and if it is in MD5 format, it needs to be prefixed by the
string $1$
.3 Passwords encrypted by crypt()
should have no
prefix. If no password is given then users can login with an empty
password string.
A gnats-passwd
tool to manage gnatsd.user_access
files is
planned. In the meantime, crypt()
passwords can be generated by
using standard UNIX passwords tools, while MD5 passwords can be
generated with the following little Perl snippet:
perl -e 'use Crypt::PasswdMD5 ; print Crypt::PasswdMD5::unix_md5_crypt "password" , time() % 100000000'
If your Perl installation doesn't have the Crypt module
installed, you need to install it. On most systems, the following
command achieves this:
perl -MCPAN -e 'install Crypt::PasswdMD5'
A tool for conversion of pre-version 4 gnatsd.user_access
files is
distributed with GNATS 4. See Converting old password files.
The access-level field should contain one of the values listed at the beginning of this appendix. This overrides (increases but never lowers) the access level given as the default for the user's host in the global gnatsd.host_access file.
The following shows an example gnatsd.user_access
file with
plain text passwords:
rickm:$0$ruckm:edit pablo:$0$pueblo:view *::none
And this is the same file with MD5-encrypted passwords:
rickm:$1$92388613$D7ZIYikzTUqd./dODTFrI.:edit pablo:$1$92388652$QRfAhIBG5elT.FQjQKhj80:view *::none
In these examples, anybody other than rickm and pablo get
denied access, assuming that the host access level is also none
.
You could set the catch-all rule at the end to be *::view
to
allow view access to anyone who does not supply a password. Note the
important detail that such a rule would allow view access only to
persons who do not supply a password at all, i.e. if rickm or pablo tries
to log in but mistypes his password, this rule would not apply and
they would be denied access entirely. This is by design, since people
might be surprised if they suddenly found themselves logged in, but with
a lower access level than they usually have.
The databases field contains a comma-separated list of database
names, as defined in the databases
file (see The databases
file. Wildcard characters are
supported. The databases listed in this field are the ones to which
the other settings on the same line will be applied.
DES crypt is the standard password encryption format used by most UNIX systems
MD5 is
only supported on platforms that have a crypt()
function that
supports MD5. Among others, this currently includes GNU Linux and
OpenBSD.
Some systems support even more encryption
methods. In FreeBSD, for instance, a prefix of $2$
implies
Blowfish encoding. GNATS will happily accept any encryption that
the OS supports.