| From: | Fomichev Michael <fomichev(at)null(dot)ru> |
|---|---|
| To: | Jan Wieck <jwieck(at)debis(dot)com> |
| Cc: | pgsql-sql(at)postgreSQL(dot)org, pgsql-admin(at)postgreSQL(dot)org |
| Subject: | Re: [ADMIN] Apache authentication & PostgreSQL |
| Date: | 1999-06-15 03:38:01 |
| Message-ID: | Pine.LNX.4.04.9906151428400.3031-100000@ns.region.utsr |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
On Fri, 11 Jun 1999, Jan Wieck wrote:
> Fomichev Mikhail wrote:
>
> > Hi, all !
> > I'm trying to show data from the PostgreSQL database to the Web page,
> > using WWW-SQL. I want the users to get an access to the database from the
> > browsers under their own names. To achieve this I configured Apache so
> > that it would authenticate an user when the user enters the directory with
> > CGI-scripts. I'd like that the name and the password of the user having
> > been authenticated, will be used in CGI-script for the access to the
> > database.
> > I can get the user's name via environment variable $REMOTE_USER, wich is
> > set by Apache.
> >
> > Now the question: is it possible to get the password, which the user has
> > entered by the authentication ?
> >
> > I know one solution. But it requires hacking of Apache.
>
> Generally it's not such a bad idea to tell which version of
> Apache you're using.
>
I'm using 1.3.3 version.
> Anyway, if you have a 1.3.3, you must compile it with
>
> -D SECURITY_HOLE_PASS_AUTHORIZATION
>
> In that case, Apache will set an environment variable
> HTTP_AUTHORIZATON whenever it sets AUTH_TYPE. That is,
> whenever a cgi is accessed that is protected by a require
> directive so you need username/password to get it.
>
> The variable HTTP_AUTHORIZATION contains the auth type and
> for "Basic" authentication "username:password" b64 encoded.
>
> As the define clearly states, it's a security hole. If users
> are allowed to use selfmade cgi's in their homepage, these
> can potentially steel passwords. And users might also steel
> passwords using 'ps -e'.
>
> Thus, having the username:password passed down into the cgi
> script is really only a last resort. In general your CGI
> scripts should use a pseudo user to contact the database. If
> someone can call a CGI script but should not have the db
> access permissions required therein, something's wrong with
> the entire design - back to drawing board. If the user is
> already authenticated by Apache, why let PostgreSQL check the
> password again?
>
I want to give different access rights to the database for different
users (for select, for update, etc.). I can't do this using a pseudo user
to contact the database. In CGI script I can connect to the database with
another username/password then a pseudo user, but I don't know the
password of authenticated user. May be there is another way to do this ?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Olivier | 1999-06-15 05:23:45 | example of trigger to track DB changes |
| Previous Message | Vikrant Rathore | 1999-06-15 03:17:08 | Mail about typecast |