> With elog it is possible to submit messages to a password protected
> logbook without specifying the -u option.  I.e. NO PASSWORD is
> necessary to submit a message.  I assume it is related to the problem
> of expiring password-cookies while entering the message using a web
> browser.

Indeed this problem is related to the expiring password cookies. As a 
reminder: For the submission of a new entry, the password is checked when one 
presses the "New" button, but NOT for the "submit". This is because a 
password can expire between the "New" and the "Submit", so a entered message 
could not be sent. The question is now what to do with the standalone "elog".

Right now, elog does a normal submission where the password is not checked, 
which is maybe not what one wants. But what to do? If elog sends a special 
flag "please do check password on submit", someone could analyze the source 
code, remove the flag from elog and then still submit messages without a 
password. If I put an additional flag to the web browser submission "please 
do not check the password since the cookie might have been expired", someone 
can add this flag into elog and still bypass the password checking.

Anothe thing which bothers me is if you specify the password explicitly on 
the command line of elog, it's visible in some scripts etc, which yould be a 
security issue as well.

Any ideas?

> > With elog it is possible to submit messages to a password protected
> > logbook without specifying the -u option.  I.e. NO PASSWORD is
> > necessary to submit a message.  I assume it is related to the problem
> > of expiring password-cookies while entering the message using a web
> > browser.
> 
> Indeed this problem is related to the expiring password cookies. As a 
> reminder: For the submission of a new entry, the password is checked when
one 
> presses the "New" button, but NOT for the "submit". This is because a 
> password can expire between the "New" and the "Submit", so a entered message 
> could not be sent. The question is now what to do with the standalone
"elog".
> 
> Right now, elog does a normal submission where the password is not checked, 
> which is maybe not what one wants. But what to do? If elog sends a special 
> flag "please do check password on submit", someone could analyze the source 
> code, remove the flag from elog and then still submit messages without a 
> password. If I put an additional flag to the web browser submission "please 
> do not check the password since the cookie might have been expired", someone 
> can add this flag into elog and still bypass the password checking.

I guess it cannot and doesn't have to be 100% save.  Maybe if the web
interface is used for a new message a long random number (let's call
it newID) can be included, which elog remembers for some time (say 1
day).  Now elogd accepts a new message only if 

  1) the cookies is there and valid or
  2) if the cookies are NOT THERE, but the newID matches one of the
       stored ones.     

The new message is rejected if the cookies are there, but are wrong.

> Anothe thing which bothers me is if you specify the password explicitly on 
> the command line of elog, it's visible in some scripts etc, which yould be a 
> security issue as well.

Maybe the encoded password should be specified.  I use wget to
retrieve some entries automatically over a cron job and with wget
you specify a cookie-file with --cookie-file (or something like
this).  The content of this file corresponds to the content of the
netscape cookie file.

> 
> Any ideas?

Can one delete or edit messages with elog?  If yes then this should not be
possible.

> I guess it cannot and doesn't have to be 100% save.  Maybe if the web
> interface is used for a new message a long random number (let's call
> it newID) can be included, which elog remembers for some time (say 1
> day).  Now elogd accepts a new message only if 
> 
>   1) the cookies is there and valid or
>   2) if the cookies are NOT THERE, but the newID matches one of the
>        stored ones.     
> 
> The new message is rejected if the cookies are there, but are wrong.

Ok that sounds a good idea to me, I will work on that.

> Can one delete or edit messages with elog?  If yes then this should not be
> possible.

No this is not possible.

> Anyone seen similar problems? 
Probably not if you read the config file, 'cause I didn't. Shame on me...

But what this shows (Stefan: correct me if I'm wrong) is that if you set 
the port number in the [global] section of the config file, the command-line
option '-p' is ignored. FYI...

Joeri

> > Anyone seen similar problems? 
> Probably not if you read the config file, 'cause I didn't. Shame on me...
> 
> But what this shows (Stefan: correct me if I'm wrong) is that if you set 
> the port number in the [global] section of the config file, the command-line
> option '-p' is ignored. FYI...
> 
> Joeri

I changed that behaviour, so from 2.0.5 on the command line port setting has 
precedence over the configuration file (as it should be).

> Just compiled elog-2.0.5 under Solaris 8 and 9  without any warnings/errors
> but the elogd binary just core dumps:
> 
> # /opt/ELOG/bin/elogd -c /opt/ELOG/elogd.cfg 
> Indexing logbook "demo"...
> Bus Error (core dumped)
> 
> .. tracing elogd shows:
> 
> [ lines snipped ]
> 2964:   brk(0x005B8A68)                                 = 0
> 2964:   ioctl(1, TCGETA, 0xFFBEE6BC)                    = 0
> Indexing logbook "demo"...
> 2964:   write(1, " I n d e x i n g   l o g".., 27)      = 27
> 2964:       Incurred fault #5, FLTACCESS  %pc = 0x000164C0
> 2964:         siginfo: SIGBUS BUS_ADRALN addr=0x2F757372
> 2964:       Received signal #10, SIGBUS [default]
> 2964:         siginfo: SIGBUS BUS_ADRALN addr=0x2F757372
> 2964:           *** process killed ***
> #
> 
> ... any glue ?

Hmmm - stupid me used a broken patch  used to get rid of alphasort under 2.0.4
this entry and it's predecessor should be DELETED - sorry for the confusion :-(

> Hello,
>    If you have the text box turned off so you only enter attributes, is it 
> possible to have a couple of attributes that have small scroll through text 
> boxs of a couple of lines rather than just one line?   Like not as big as 
> the regular text box but something small to be able to post a couple of 
> lines in and if it gets bigger then you scroll down.  For instance if you 
> are posting a problem and a solution just have one small text box for the 
> problem and one for the solution.

Having multi-line attributes would be pretty difficult since it would break 
the way the database works (one attribute at a line). So for now, you have to 
use the text box and the reply functionality to deal with problems and fixes 
(like for this entry).

> Sorry, I haven't fully documented it yet, will do on Monday next week. For 
> now, see the configuration file for this forum which is attached.

that's ok. i just wanted to make sure that i hadn't missed something. i'm eventually switching over my entire dial up bbs, to my web page, with elog being the message system. self-registration was the last piece of the puzzle for me :)