New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Configuration: Answered

configure password is saved but is not recognized afterwards

I encounter the following problem on my Foswiki 1.1.6 installation on ubuntu using apache2:

  1. I go to the configure page
  2. I click on "change password"
  3. I get prompted to enter a new password and confirm it.
  4. I enter the new password twice and confimr with a click on "Set password and Save changes"
  5. The following screen tells me that the setting of the password was successfull
  6. But if I reload the page, it tells me I have a "High security risk" because the configure password is not set
  7. If I choose "Change password" again, it again looks like setting the first password, not changing it
  8. I also can not login as "admin" using the "internal admin login".
The strange thing is that everything else seems to work fine. I have created a normal user. I can login via that user and create/edit topics. Also, if I change the configure password over the configure page, I see that the line "$Foswiki::cfg{Password}" in "LocalSite.cfg" has changed. Deleting the line also did not bring an improvement.

I tried to manually add a user "admin" to the "data/.htpasswd" file but that does not help either.

It would be great if anyone could help me on this problem. Thanks in advance.


-- LarsPFoswiki - 28 Oct 2013

Two issues here:

1) The admin password / configure save password not working:

Double check the contents of your lib/LocalSite.cfg file. I think there was a bug at one point where there would be duplicate entries written to the file. So you might find multiple entries for $Foswiki::cfg{Password}. Also look to be sure that the file doesn't accidentally terminate prematurely with either a __DATA__ or __END__ statement. I vaguely recall that that caused issues at one point.

2) The "High Security Risk" warning. This has nothing to do with the configure save password. You would need to update the apache configuration and separately protect the /bin/configure command. Generally that's done independent of any foswiki authentication.

For example: From the server command line, create a different apache .htpasswd file, and insert nto it the users you want to be able to access configure: Caution: Never update the foswiki maintaned .htpasswd file using the apache htpasswd tool! It will discard the email addresses of your users!

$ htpasswd -c -s .htpasswd-admin configuser
New password: 
Re-type new password: 
Adding password for user configuser

And then update the apache configuration to use the alternate file for the configure users:

        <FilesMatch "^(configure)$">
                SetHandler cgi-script
                AuthType Basic
                AuthName "admins only"
                AuthUserFile /my/server/root/data/.htpasswd-admin
                ErrorDocument 401 default
                <limit GET PUT POST>
                require valid-user

-- GeorgeClark - 28 Oct 2013

To point 1)

There was no double entry for $Foswiki::cfg{Password} but an early END line. The end line was right after the "#---+++ Enable or disable installed extensions" section. I manually installed the ExcelImportExportPlugin. Maybe that caused the problem. I moved the line to the end of the file and the configure password now works.

To point 2)

I allowed access only from localhost. But a password is nicer anyway. So I changed my settings according to your suggestions and it works. I only extended the regex "^(configure)$" to "^(configure)(\.pl)*$" so that the password is also queried if the URL contains the ".pl" after configure. All "Security risk" warnings have dissapeared.

Thanks a lot for your quick and precise help.

-- LarsPFoswiki - 29 Oct 2013

QuestionForm edit

Subject Configuration
Version Foswiki 1.1.6
Status Answered
Related Topics
Topic revision: r3 - 29 Oct 2013, LarsPFoswiki - This page was cached on 10 Mar 2018 - 20:44.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License