Permission problems in latest betas

[TEA-Time]

Hi,

I'm not sure with what beta this started because I only just tried doing this, but the problem exists at least in build 197 and 198.

The setup:
Create a folder (I called it "test") under the root and give an account (I called it "testaccount") permission to only that folder.

The problem:
Try to browse it with http*//server/test and HFS continuously prompts for a login.  The following shows up in the log window:

*****
8/18/2008 10:20:28 AM Server start
8/18/2008 10:42:16 AM 127.0.0.1:1808 Connected
8/18/2008 10:42:16 AM 127.0.0.1:1808 Requested GET /test/
8/18/2008 10:42:16 AM 127.0.0.1:1808 Not served: 401 - Unauthorized
8/18/2008 10:42:16 AM 127.0.0.1:1808 Disconnected by server - 413 bytes sent
8/18/2008 10:42:19 AM 127.0.0.1:1809 Connected
8/18/2008 10:42:19 AM testaccount@127.0.0.1:1809 Login failed
8/18/2008 10:42:19 AM testaccount@127.0.0.1:1809 Requested GET /test/
8/18/2008 10:42:19 AM testaccount@127.0.0.1:1809 Not served: 401 - Unauthorized
8/18/2008 10:42:19 AM testaccount@127.0.0.1:1809 Disconnected by server - 413 bytes sent
8/18/2008 10:42:21 AM 127.0.0.1:1811 Connected
8/18/2008 10:42:21 AM testaccount@127.0.0.1:1811 Requested GET /test/
8/18/2008 10:42:22 AM testaccount@127.0.0.1:1811 Served 885 B
8/18/2008 10:42:22 AM 127.0.0.1:1812 Connected
8/18/2008 10:42:22 AM 127.0.0.1:1812 Requested GET /~style.css
8/18/2008 10:42:22 AM 127.0.0.1:1812 Not served: 401 - Unauthorized
8/18/2008 10:42:22 AM testaccount@127.0.0.1:1811 Requested GET /~style.css
8/18/2008 10:42:22 AM testaccount@127.0.0.1:1811 Not served: 401 - Unauthorized
8/18/2008 10:42:22 AM 127.0.0.1:1812 Disconnected by server - 413 bytes sent
8/18/2008 10:42:22 AM testaccount@127.0.0.1:1811 Disconnected by server - 1298 bytes sent
8/18/2008 10:42:25 AM 127.0.0.1:1813 Connected
8/18/2008 10:42:25 AM testaccount@127.0.0.1:1813 Requested GET /~style.css
8/18/2008 10:42:25 AM testaccount@127.0.0.1:1813 Not served: 401 - Unauthorized
8/18/2008 10:42:25 AM testaccount@127.0.0.1:1813 Disconnected by server - 414 bytes sent
8/18/2008 10:42:27 AM 127.0.0.1:1814 Connected
8/18/2008 10:42:27 AM testaccount@127.0.0.1:1814 Requested GET /~style.css
8/18/2008 10:42:27 AM testaccount@127.0.0.1:1814 Not served: 401 - Unauthorized
8/18/2008 10:42:27 AM testaccount@127.0.0.1:1814 Disconnected by server - 414 bytes sent
8/18/2008 10:42:30 AM 127.0.0.1:1815 Connected
8/18/2008 10:42:30 AM testaccount@127.0.0.1:1815 Requested GET /~style.css
8/18/2008 10:42:30 AM testaccount@127.0.0.1:1815 Not served: 401 - Unauthorized
8/18/2008 10:42:30 AM testaccount@127.0.0.1:1815 Disconnected by server - 413 bytes sent
8/18/2008 10:42:34 AM 127.0.0.1:1817 Connected
8/18/2008 10:42:34 AM testaccount@127.0.0.1:1817 Requested GET /~style.css
8/18/2008 10:42:34 AM testaccount@127.0.0.1:1817 Not served: 401 - Unauthorized
8/18/2008 10:42:34 AM testaccount@127.0.0.1:1817 Disconnected by server - 413 bytes sent
8/18/2008 10:42:36 AM 127.0.0.1:1818 Connected
8/18/2008 10:42:36 AM testaccount@127.0.0.1:1818 Requested GET /~style.css
8/18/2008 10:42:36 AM testaccount@127.0.0.1:1818 Not served: 401 - Unauthorized
8/18/2008 10:42:37 AM testaccount@127.0.0.1:1818 Disconnected by server - 414 bytes sent
8/18/2008 10:42:39 AM 127.0.0.1:1819 Connected
8/18/2008 10:42:39 AM testaccount@127.0.0.1:1819 Requested GET /~style.css
8/18/2008 10:42:39 AM testaccount@127.0.0.1:1819 Not served: 401 - Unauthorized
8/18/2008 10:42:39 AM testaccount@127.0.0.1:1819 Disconnected by server - 413 bytes sent
8/18/2008 10:42:40 AM 127.0.0.1:1821 Connected
8/18/2008 10:42:40 AM 127.0.0.1:1821 Requested GET /~style.menu.css
8/18/2008 10:42:40 AM 127.0.0.1:1821 Not served: 401 - Unauthorized
8/18/2008 10:42:40 AM 127.0.0.1:1821 Disconnected by server - 413 bytes sent
8/18/2008 10:42:41 AM 127.0.0.1:1823 Connected
8/18/2008 10:42:41 AM 127.0.0.1:1823 Disconnected by server - 413 bytes sent
8/18/2008 10:42:42 AM 127.0.0.1:1824 Connected
8/18/2008 10:42:42 AM 127.0.0.1:1824 Disconnected - 1161 bytes sent
8/18/2008 10:42:42 AM 127.0.0.1:1825 Connected
8/18/2008 10:42:42 AM 127.0.0.1:1825 Disconnected by server - 411 bytes sent
*****

From 8/18/2008 10:42:40 AM on down is where I decided to just hit Cancel at the login prompt.

[TEA-Time]

Oops, I forgot to mention that this does not happen in the latest official release, v2.2d.

[rejetto]

i just tested, and it worked correctly.
one login, entered username and empty password, and it went ok.
i also tested with a password "a", and all fine again.
are you sure you entered the same password of the account you created?
you can provide your vfs by attaching to the post

[TEA-Time]

Hi rejetto,

Thanks for the reply!

Sorry, I guess I left something else important out.  My root has restricted access to accounts other than testaccount.  When I leave the root unrestricted or give testaccount access to it, access to /test works fine, but I don't want testaccount to have access to the root.

It seems to me that the css files are coming from the root and are therefore affected by permissions given to the root.

Attached is a very basic vfs with access to the root given to otheraccount and access to the test folder given to testaccount.

Hope this helps, and thanks for looking into it!  Don't feel obligated to spend too much time on it during your vacation.   It's not an emergency or anything.

[rejetto]

thank you for the vfs, that made things easier.
the problem is actually the css files in the root.
i have no quick solution for it.
maybe i should just unbind template sections from vfs restrictions.
what you think?

[TEA-Time]

Hi rejetto,

I hope your vacation is going well!

I think unbinding the template sections from VFS restrictions would fix it as long as it doesn't cause a security problem.  Would there be any risks in having unrestricted access to the templates?

What's the different between how v2.2d (which doesn't exhibit this behavior) works and the latest betas?  Were there no css files? ... Ah, I think I just answered that question myself.  I just downgraded to v2.2d and it appears as though the CSS info is embedded in the page, so that explains that.

[rejetto]

it's not really a security problem, i just thought that someone may want to fully hide the server identity, and accessing resources will tell that it is actually HFS (and roughly the version, at some degree).

for now i will just include the css inside the error pages by using macros. it should work.

[TEA-Time]

Sounds good to me.

Looking forward to the next release!

[TEA-Time]

Hi rejetto,

I finally got around to testing 201 with this problem and it still exists.

[rejetto]

mm, i tested it and was fine to me.
maybe you have a customized template.
see if "customized template" appears in the status bar of HFS.

[TEA-Time]

Hi rejetto,

Nope, no customized template.  Same VFS I posted before, and the same accounts used in it.

[rejetto]

can you please post the html source you get in your browser when you get the error page?
this is what i get

Code: [Select]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <style type="text/css">
  body, th { font-family:tahoma, verdana, arial, helvetica, sans; font-weight:normal; font-size:9pt; }
body { background-color:#DDF; padding:10px; }
body, p, form { margin:0 }
a { text-decoration:none;  background-color:Transparent; color:#05F; }
a:visited { color:#55F; }
a:hover { background-color:#EEF; }
img { border-style:none }
#files td { font-size:10pt; background:#FFF; border:1px solid #BBF }
#files td img { vertical-align:top }
#files th, th a, th a:visited { color:#555; font-size:13pt; font-weight:bold; padding-bottom:0; }
#foldercomment { font-size:10pt; color:#888; background:#EEE; padding:3px; border:1px solid #DDD; border-bottom:3px solid #DDD; margin-top:2px; }
#folder, .big { font-size:14pt; font-weight:bold;  }
#folderlabel, #folderstats, #footer { font-size: 8pt; }
#body {
  border-bottom: 4px solid #BBF;
     border-top: 4px solid #BBF;
    border-left: 1px dotted #BBF;
   border-right: 1px dotted #BBF;
  background:#F3F3FF;
  padding:15px;
  margin:15px;
}
.comment { font-size:7pt; color:#888; background:#EEE; padding:3px; border:1px solid #DDD; margin-top:2px; }
.button { height:24px; padding:4px 10px; margin:5px; border:2px solid black; background:white; font-size:8pt; font-weight:bold; }
a.button { padding:8px 10px; }
a.button img { vertical-align:text-bottom; }
.flag { font-weight:bold; font-size:8pt; background:white; color:red; text-align:center; border:1px solid red; }
.item-folder { font-size:smaller; margin-top:4px; }

 
  </style>
  </head>
<body>
<h1>Unauthorized</h1>
This is a protected resource.
<br>Your username/password doesn't match.

<hr>

<div style="font-family:tahoma, verdana, arial, helvetica, sans; font-size:8pt;">
<a href="http://www.rejetto.com/hfs/">HttpFileServer 2.3 beta</a>
<br>05/09/2008 12.07.02
</div>
</body>
</html>


[TEA-Time]

Hi rejetto,

Here ya go.  Browser cache cleared and everything.  I even created a whole new VFS, and temporarily reset the options.

Code: [Select]

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<!-- -->
<html>
<head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <link rel="stylesheet" href="/~style.css" type="text/css">
  <link rel="stylesheet" href="/~style.menu.css" type="text/css">
  <title>HFS /test/</title>
  <link rel="shortcut icon" href="/favicon.ico">

<!--[if lte IE 5.5]>
<style type="text/css">
.menu ul li a, .menu ul li a:visited { width:151px; w\idth:139px; }
</style>
<![endif]-->

 
<style type="text/css"></style>

</head>
<body>
<table width='100%'>
<tr>
  <td width='95%'>
    <div id='folderlabel'>folder</div>
    <div id='folder'><a href="/">Home/</a><a href="/test/">test/</a></div>

<td nowrap>
    <div class='button'><img src="/~img27"> user: testaccount</div>
<td nowrap>
    <div class='button'>
    <form style='width:160px'>
    <input name='search' size='10' value="">
    <input type='submit' value="search">
    </form>
    </div>

  <td nowrap>
    <div class="menu">
    <ul>
    <li class='last'><a href="#"><span style='position:relative; top:5px; left:35px;'>.: Menu :.</span><!--[if IE 7]><!--></a><!--<![endif]-->
    <!--[if lte IE 6]><table><tr><td><![endif]-->
    <ul>



    <li class="last"><a href="/test/?tpl=list&folders-filter=\&recursive">File list</a></li>

    </ul>
    <!--[if lte IE 6]></td></tr></table></a><![endif]-->
    </li>
    </ul>
    </div>

</table>

<div id='body'>
 
  <a class='big' href=".."><img src="/~img14"> UP</a>

  <div class='big'>No files</div>
</div>

<div id='footer'>
  <a href="http://www.rejetto.com/hfs/">HttpFileServer 2.3 beta</a>
  <br>Servertime: 9/5/2008 9:42:20 AM
  <br>Uptime: 00:05:35
</div>

</body>
</html>
<!-- Build-time: 0.130 -->


[rejetto]

whoops, you are right, i made the wrong test...

[rejetto]

although i  found possible solutions, i'm studying the problem because it's security sensitive.
in the while, could you please tell me why you need to not give access to the root, to the account who has access to the folder?