Yes, there are Configs, and I can see them when I log in as a normal user. But when I log in as "administrator" I don't see them, and I also don't see any links to anything else.

>
>If there are files in Configs, but none showing in the list,
>that's odd. I can think of a couple things that might cause
>that:
>
> 1. If all of the configuration files are corrupt, the
>would be omitted from the list. You can check for this by
>trying to do something with a configuration from the command
>line, e.g. "sawmill -rfcf {configname} -gh t" -- does that
>give you an error?

Nope that works without errors. As I mentioned, I can see all the configs as a non-administrator, and I am not aware of any issues using the existing configs. I just can't seem to get logged in as an admin to remove a site or add a new one.

>
> 2. Look in the Preferences to see if you're using a
>command-line authentication script. If you are, then that
>script is responsible for returning the list of
>configurations available to a particular user; maybe it's
>not doing that?

It would seem that it is, since non-administrators can see all the configs. I suppose it's significant that the configs file read by the auth command doesn't list the user "administrator". Now that I understand what that command is for, I'll try adding "administrator" to each site in that config file.

Thanks,
Eric

administrative_remote_user administrator

and I assume (perhaps incorrectly) that this user is authenticated differently from normal users. The file LogAnalysisInfo/AdminPassword seems to contain the administrator password, as an MD5 hash.

In looking at the manual for how to do things, I see references to the Administrative Menu, but I have not yet been able to see that. Please help me understand how I should go about getting privileged access to the web interface, as I still don't have a good grasp of how this application is supposed to work.

Thanks very much,
Eric

When you try to access Sawmill, it will prompt you for the password, with Administrator as the uneditable username. If you enter the Administrator password, and it lets you in, you are then at the Administrative Menu (it should say that at the top). That's the menu where you create new configurations, view statistics, set up the Scheduler, view the docs, and more.

The Administrator user, which again is really the *only* user, has access to all configurations. If you can log in, you should be able to see all configurations when you click Open Configuration. You seem to be saying that when you click Open Configuration, you see no configurations, and that should happen only if there *are* no configurations.

Sawmill 6 also has a separate approach to authentication called "command line authentication", where you specify a command-line program that Sawmill should run to authenticate a particular username/password. When using command-line authentication, there *are* multiple users, and each has a specific list of profiles it can view. However, any administrative user should still be able to see all profiles; the other users are non-administrative users.

So what I'm trying to determine is: are you using the normal authentication, or are you using command-line authentication? You can tell by going to the login page--does it prompt you for at usernamd *and* password (command-line authentication), or does it just prompt you for a password (normal authentication)?

Once I know which authentication you're using, I'll have a better idea of how to proceed.

For the record (you don't need to know this, but others reading this might), Sawmill 7 *always* prompts for both username and password, because Sawmill 7 has a true concept of users (not just "administrator" and "viewer" line Sawmill 6). Sawmill 7 also has command-line authentication, but it's normal authentication works a lot like command-line authentication; there are multiple users, each with their own password, and each of them either an "administrator" or a user with permissions to view certain profiles (called "Configurations" in Sawmill 6).

Thanks very much Greg. I am using command-line auth, so I am prompted for both username and password. What I get when I log in as administrator is the same page that I get when I log in as a viewer. I take it from your explanation that I should be seeing a different page, so if you need me to post all or part of my config, I'm happy to do that.

Thanks,
Eric

The authentication script sends results back to Sawmill by "printing" them to the standard output stream, which is captured by Sawmill. If the script prints just this:

*ADMIN*

then the user is considered administrative. If the script prints just this:

*FAILED*

then Sawmill will report that authentication failed (e.g., invalid password), and will prompt again. Otherwise, the script should print:

config1
config2
...
configN

and Sawmill will allow access to the specified configurations, but will not allow administrative access.

So you need to look at that script, and see why it's not printing *ADMIN* in when you enter the administrative username/password. If you modify the script to just print *ADMIN* in all cases, it should give you admin access (though it's then also vulnerable to anyone else who finds the login page).

If it is already printing *ADMIN*, then Sawmill may be configured in a high-security mode called "browse only" mode, where admin access via the web is prohibited in all cases; in that case, you'll either need to change it to "browse and modify" mode, or you'll need to do all your administration from the command line. If that's the case, let me know and I'll explain in more detail.

OK, I have a script called sawmill_auth.pl. I'm not sure whether this is something distributed with Sawmill or just locally written.

>
>The authentication script sends results back to Sawmill by
>"printing" them to the standard output stream, which is
>captured by Sawmill. If the script prints just this:
>
> *ADMIN*
>
>then the user is considered administrative.

This is what I don't understand yet. How does the auth script know to grant admin rights to a particular user? Right now it's just looking in a .htpasswd-style file for username/hash tokens. I can stick the user "administrator" in there and get it to send back the list of configs, but it never prints *ADMIN* as you explained. I suppose I could try enhancing the script to match on the user "administrator" and modify the output.

>So you need to look at that script, and see why it's not
>printing *ADMIN* in when you enter the administrative
>username/password. If you modify the script to just print
>*ADMIN* in all cases, it should give you admin access
>(though it's then also vulnerable to anyone else who finds
>the login page).

Right. I think this is the problem, since the script has no way to provide admin rights. That leads me to believe that the script was not distributed as part of Sawmill.

>
>If it is already printing *ADMIN*, then Sawmill may be
>configured in a high-security mode called "browse only"
>mode, where admin access via the web is prohibited in all
>cases; in that case, you'll either need to change it to
>"browse and modify" mode, or you'll need to do all your
>administration from the command line. If that's the case,
>let me know and I'll explain in more detail.

I think that previous admins did everything from the command line, but the manual is rather thin in this area. It seems focused on using the web GUI for everything. I am comfortable with either method-- I just want it to work.

Thanks,
Eric

This was the trick. It confirms that no one has used the administrative web GUI in this installation before, since the auth script had no provision for returning the keyword *ADMIN*. I've modified it to match on the login "administrator" while leaving the existing users as unprivileged.

I think I'm good now, I can get into the administrative menu, so the manual should be more helpful now.

Thanks VERY much for the explanations!
Eric