Menu
▾
▴
Re: [Exist-development] And yet another security/Ant issue....addendum
|
From: Dmitriy S. <sha...@gm...> - 2011-04-30 03:42:51
|
On Sat, Apr 30, 2011 at 7:43 AM, Andrzej Jan Taramina
<an...@ch...>wrote:
> Dmitry:
>
> > empty password "disable" account, it must have some chars.
>
> You don't seem to understand how the adduser Ant task works. The
> user/password attributes are for
> the user that is performing the add. On a new database that would be the
> admin user, which has no
> password set, so you provide an empty password.
>
> The user being added is specified by name/secret, in the example below
> myuser and the value of the
> Ant variable ${password}. The password is not empty!
>
> The issue is that the myuser is added, with the correct password. You can
> log in as that user no
> problem. Both the web and java admin clients show myuser as being in the
> "dba" group.
>
> But myuser does not have dba priviledges for some reason which is a big and
> a rather serious one in
> my estimation. If I'm logged in as myuser, I cannot do a
> file:directory-list( $dir, "*.xml" ) as it
> fails on a permission problem.
>
> This is a bug in the security implementation that needs fixing.
>
That is not a security issue if you see it in DBA group. Did you check user
from running script? (let's say one line before file:directory-list)
--
Dmitriy Shabanov
|
