Forums Admin login with god password (other than god)?

Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

I have added a new site & forum admin. They can log into the site and admin just fine with their own username/pw combo (not god or my admin), however ... when they click on the forum admin icon they cannot log in under their own admin ... they must log in under god (superuser) admin ... I'd really rather NOT have it that way! Does anyone know what the problem is? I'm using the BB2Nuke that came with my RN76 2.02.02 ... with the NS that came with that. How can I have it so all admins can log into both site and forums admin pages under their own logins??? Help!?

Site Admin Joined: Jun 04, 2004 Posts: 6432

Just to clarify - are you talking about forum moderation with the Nuke user ID set up as a moderator or forums administration (i.e. admin.php?op=forums)? If it's forums administration, do you have admin authentication on this function? If so, you may need to setup admin authentication for the admin...but don't they already have this for admin.php?

Posted: Tue Oct 31, 2006 7:11 am

admin.php (site admin) ...
OK with cookies deleted, cache deleted, etc ... loading site as new to browser. I try to log in as my new admin in /nukesite/admin.php and that works fine, NS asks for the username/pw and seems ok because then I get sent to login page on the site itself for which I enter login name/pw/graphic #s ... all ok I get logged into site admin just fine under this person's login.

forums/admin.php (forums admin) ...
Then I go to the forums icon and click it and NS (I think it's NS) brings up a popup login box. I try to login forums admin as the username/pw of said new admin but it rejects that login three times until I get booted to a 401 permissions page.

However, if I enter the site admin (god/superuser) login name/pw it will allow me in. I'm not sure what the problem is or why I cannot log into the forums admin as this new admin's username/pw. Site login is fine using their login combo ... forums admin rejects until it gets god/superuser login info ... NOT good : o/

I've never understood why I get asked for username/pw again from forums admin since I've already logged in as admin to the site itself. Even as god/superuser I have to log in three times:

1) NS login popup box
2) Site login page if NS passes me LOL
3) Forums admin page

It's a bish deleting cookies lemme tell ya!

BTW, I as god/superuser and I as a regular user/admin am not having any problems logging in except NS sometimes wants the encrypted version of a pw, which I've enquired about here previously but no one really knew what was up with it. In NS I've had to change the encrypted to normal pws or I can't log in under regular pws ... the only one I didn't change was the god which is still encrypted and gives me fits now and then, in otherwords sometimes I have to enter the encrypted pw (the whole dang long mess of it) instead of the normal pw for god/admin to get access ... but that's another issue.

For now, I need help figuring out why my new admin can log into the site ok but needs to have god/superuser pw to access the forums admin area.

Posted: Tue Oct 31, 2006 7:19 am

And before you ask, yes they are set to Administrator every which way from Sunday, including in NS (I did the scan for new admins, etc, Is Protected).

Posted: Tue Oct 31, 2006 7:20 am

Bluezz, you (or someone helping you) must have added password protection on the Forums/admin directory. Remember back earlier this year all of the forum admin exploits going around? We were suggesting to folks here to do exactly that.

I am pretty sure that is what is going on.

Posted: Tue Oct 31, 2006 7:29 am

Where would I have done that?

And if that's the case is there a way to fix it so each admin can safely login to forums admin without needing god/superuser admin rights?

Posted: Tue Oct 31, 2006 7:52 am

You could have used cpanel to place a password on the modules/Forums/admin directory or you could have used a .htaccess/.staccess combination of files under this same directory.

If you used the cpanel approach, then you would have to manually sync those passwords (not something you would want to do).

The other option would be to have a .htaccess file in this directory which has the same deny statements that NukeSentinel has but point to the same .staccess file that you have in the root of your nuke structure (where NukeSentinel is using it).

Posted: Tue Oct 31, 2006 8:39 am

Ya lost me : o/

I can say I doubt I went the cPanel route since I tend to avoid that. I believe I tried the .htaccess/.staccess route which if I recall was in the NS install instructions but by the same token I don't think it ever worked because I don't think I ever made those changes as I ran into some login problem after trying it so I undid what install said to do, and then someone here told me that part wasn't necessary anyway ... or something ... I forget now.

Can you be more specific? Which .htaccess/.staccess file is the correct one and do I just copy that to the other admin's folder (like from root to forums/admin)? I'm confused.

Posted: Wed Nov 01, 2006 8:36 pm

If you look in the modules/Forums/admin directory, do you see a .htaccess file?

If the answer is "YES", then you need to look inside that and see what it is using for the password file, as that will control which password is being asked for to get to the Forums Admin.

If the answer is "NO", then I think you have to look in the .htaccess file in the root of your nuke installation and see if there is any reference to the above mentioned directory (with a deny) and calling out a password file to use for validation.

Posted: Fri Nov 03, 2006 2:39 pm

It has an .htaccess file that has something like this in it ...

AuthType Basic

AuthName "Forums Admin"

AuthUserFile "/home/<<userdir>>/.htpasswds/<<nukeroot>>/modules/Forums/admin/passwd"

require valid-user

There is no pw in it. Also it's not using an .staccess file either. The question was however, how do I get it so that admins can use their own pw not related to God/superuser pw?

Posted: Fri Nov 03, 2006 4:59 pm

Bluezzz, if I remember correctly you did use cPanel to set up authentication as I did you a step by step guide - but that doesnt mean you are still using it, you may have changed it after that.

Posted: Fri Nov 03, 2006 6:00 pm

Nope that wasn't me. I used Raven's install instructions for NS and had some problems at around step four or thereabouts. I have to us CGIAuth not HTTPauth, which was complicated for me from the previous time I'd installed. I didn't use cPanel at all that I remember. I avoid cPanel if I can LOL. I did have problems with the .htaccess file tho, I sort of got it working but I really don't remember how now.

Like I said, I as god/superuser and I as my own admin have no problems logging in, all I want is info to have other admins log in without giving them superuser for the forums ... for some reason my forums require superuser login and I don't want to give that out obviously.

Posted: Fri Nov 03, 2006 11:05 pm

Bluezz, that is definitely cpanel. You are someone helping you had to have added that password using cpanel. You can check that yourself by logging into cpanel and checking the password protect function.

For NukeSentinel, are you using HTTPAuth or CGIAuth? You should fine this on the main NukeSentinel administration page about midway down. The reason I ask is that if you are using CGIAuth, you may be able to use the same .staccess file to protect the forums admin.

It is important to still protect this. I know that you are not liking the double password bit, but you never know what other exploits people will find in phpBB admin that this stops cold.

Posted: Fri Nov 03, 2006 11:09 pm

If it's cpanel then it's not something I did, perhaps it's a host thing. I know we were suppose to 777 .htaccess and .staccess files so ya I did that, they didn't seem to take from my FTP program so I did have to do it from cpanel. I didn't set any folders or files to a pw protect directory tho. I just tried to follow the NS directions as best I could ... and as I said above CGIAuth is what I have to us. To my knowledge no one (and I am the only one god/superuser/reseller host) that is messing with my site files to my knowledge. I did not set any pws in cpanel. So if that indicates I did then some wires got crosses somewhere. I have an .htaccess file in Forums/admin but no .staccess file.

Posted: Fri Nov 03, 2006 11:25 pm

.htaccess and .staccess should be 666, not 777! I would change that right away.

The added password on the modules/Forums/admin directory is NOT from NukeSentinel. It was related to the phpbb_root_path exploits back earlier this year. It came from this thread here: [ Only registered users can see links on this board! Get registered or login! ]

Please check cpanel as I have mentioned. Whether you like to believe it or not, that is where the second password is getting set. I can clearly see that from your .htaccess file that you posted the contents of. BTW, I am going to blank out a bit of that path here in a second.

You could change (make a copy first) the modules/Forums/admin/.htaccess file to be something more like this:

Code:




<Files .staccess> 


deny from all 


</Files> 





<Limit GET POST PUT> 


require valid-user 


</Limit> 


AuthName "Restricted Forum Area" 


AuthType Basic 


AuthUserFile <<same path as what you see in NS for the .staccess path>>

Just copy and paste from the NS main administration page what the full path is to your NS .staccess file and then your admins don't have to log into it twice.

Posted: Sat Nov 04, 2006 12:40 am

[ Only registered users can see links on this board! Get registered or login! ]

Posted: Sat Nov 04, 2006 12:42 am

Well it's whatever is all boxes checked, I may have the numbers wrong, it's whatever NS install said to make it LOL.

Is your suggested change going to allow for each admin to log in with their own username/pw and not have to use god/superuser?

Thanks for your help, not sure I understand what yer telling me tho : o/

Posted: Mon Nov 06, 2006 6:45 pm

Quote:

Is your suggested change going to allow for each admin to log in with their own username/pw and not have to use god/superuser?

Yes. You still have to make them a nuke admin (but only give them "Forums", not "SuperUser) and you still have to add them to NukeSentinel. They would then log into admin.php like any other admin (which I think you already have them doing this) and then when they click on Forums in the Administration Menu, they will go right into the Forum admin panel (no extra password).

I have this installed this way on my own site and it works just fine.