Re: [Exist-development] And yet another security/Ant issue....addendum

[Andrzej J. T. <an...@ch...>]

Dmitry:

> empty password "disable" account, it must have some chars.

You don't seem to understand how the adduser Ant task works.  The user/password attributes are for
the user that is performing the add.  On a new database that would be the admin user, which has no
password set, so you provide an empty password.

The user being added is specified by name/secret, in the example below myuser and the value of the
Ant variable ${password}. The password is not empty!

The issue is that the myuser is added, with the correct password.  You can log in as that user no
problem.  Both the web and java admin clients show myuser as being in the "dba" group.

But myuser does not have dba priviledges for some reason which is a big and a rather serious one in
my estimation.  If I'm logged in as myuser, I cannot do a file:directory-list( $dir, "*.xml" ) as it
fails on a permission problem.

This is a bug in the security implementation that needs fixing.

....A

> On Fri, Apr 29, 2011 at 8:03 PM, Andrzej Jan Taramina <an...@ch...
> <mailto:an...@ch...>> wrote:
> 
>     BTW, I create the myuser like this (before I change the admin password from empty):
> 
>     <exist:adduser failonerror="false" uri="${exist.url}/xmlrpc/db" user="admin" password=""
>     name="myuser" secret="${password}" home="/db" primaryGroup="dba"/>
> 
>     That should make myuser a DBA, right?
> 
>     Logging into the admin web page shows that the user is not a DBA, since it can't do a database
>     shutdown.  But the user list (both in the admin web page and in the Java client) shows myuser as a
>     member of the dba group.
> 
>     ....A
> 
>     > I use an ant task to run an xquery as follows:
>     >
>     > <exist:xquery queryfile="${temp.dir}/importData.xql" outputproperty="importResults"
>     > uri="${exist.url}/xmlrpc/db" user="myuser" password="${password}"> </exist:xquery>
>     >
>     > but it the fails with the following:
>     >
>     > BUILD FAILED
>     > /home/andrzej/build.xml:1747: XMLDB exception caught while executing query: Permission denied,
>     > calling user 'myuser' must be a DBA to call this function. [at line 75, column 23, source: String]
>     >
>     > The line in the xquery that is failing is:
>     >
>     >       let $list   := file:directory-list( $dir, "*.xml" )
>     >
>     > which requires DBA permissions as expected.
>     >
>     > The problem is that the ant task was initiated using user "myuser" which is part of the dba
>     > group...and thus should be a DBA, right?
>     >
>     > This used to work fine....but is now broken with the new security stuff.
>     >
>     > Any idea why myuser isn't being seen as having dba permissions when executing an xquery using the
>     > ant task?
> 
> 
>     --
>     Andrzej Taramina
>     Chaeron Corporation: Enterprise System Solutions
>     http://www.chaeron.com
> 
> 
> 
> 
> -- 
> Dmitriy Shabanov


-- 
Andrzej Taramina
Chaeron Corporation: Enterprise System Solutions
http://www.chaeron.com