[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[leafnode-list] HEADS UP Clemens Fischer, lua authentication bugs, and your mail is non-functional


sorry to contact you this way, and I hope you are seeing this through
GMANE - your dnsalias.org address is dysfunctional, so my mail bounced.

In de.comm.software.newsserver are complains - and I could verify them -
that authentication is broken in the lua version of leafnode.  I suppose
that this is an artifact of an incomplete groupauth implementation.

The detailed complaint is that the luascript version of leafnode will
behave as though no authentication is required, i. e. lets users see all
groups, post everywhere, without authentication.

Can you please see to that:

- with --disable-lua, traditional leafnode behaviour is reinstated, i.
e. global authentication required for mostly everything that affects
groups or articles

- in the absense of Lua scripts, traditional leafnode behaviour is
reinstated, same conditions as above

I have, in the meanwhile, fixed some paths for the scripting, but I seem
to be unable to get groupauthentication running. There is a want_*
variable in scripthooks.lua, but it does not appear to be used anywhere

Reading the C code, I do not see where leafnode would fall back to
traditional authentication behaviour for SCRIPT_UNAVAILABLE or
--disable-lua code.

Please contact me with a valid sender address that is not based on
dynamic DNS off-list.


In the meanwhile, I will prepare a non-scripting release of leafnode so
that people can get authentication (PAM or built-in) back.

Best regards

Attachment: signature.asc
Description: OpenPGP digital signature

leafnode-list mailing list