| From: | wieck(at)debis(dot)com (Jan Wieck) |
|---|---|
| To: | fomichev(at)null(dot)ru (Fomichev Michael) |
| Cc: | pgsql-sql(at)postgreSQL(dot)org, pgsql-admin(at)postgreSQL(dot)org |
| Subject: | Re: [ADMIN] Apache authentication & PostgreSQL |
| Date: | 1999-06-11 09:58:16 |
| Message-ID: | m10sO4m-0003kGC@orion.SAPserv.Hamburg.dsh.de |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-sql |
Fomichev Mikhail wrote:
> Hi, all !
> I'm trying to show data from the PostgreSQL database to the Web page,
> using WWW-SQL. I want the users to get an access to the database from the
> browsers under their own names. To achieve this I configured Apache so
> that it would authenticate an user when the user enters the directory with
> CGI-scripts. I'd like that the name and the password of the user having
> been authenticated, will be used in CGI-script for the access to the
> database.
> I can get the user's name via environment variable $REMOTE_USER, wich is
> set by Apache.
>
> Now the question: is it possible to get the password, which the user has
> entered by the authentication ?
>
> I know one solution. But it requires hacking of Apache.
Generally it's not such a bad idea to tell which version of
Apache you're using.
Anyway, if you have a 1.3.3, you must compile it with
-D SECURITY_HOLE_PASS_AUTHORIZATION
In that case, Apache will set an environment variable
HTTP_AUTHORIZATON whenever it sets AUTH_TYPE. That is,
whenever a cgi is accessed that is protected by a require
directive so you need username/password to get it.
The variable HTTP_AUTHORIZATION contains the auth type and
for "Basic" authentication "username:password" b64 encoded.
As the define clearly states, it's a security hole. If users
are allowed to use selfmade cgi's in their homepage, these
can potentially steel passwords. And users might also steel
passwords using 'ps -e'.
Thus, having the username:password passed down into the cgi
script is really only a last resort. In general your CGI
scripts should use a pseudo user to contact the database. If
someone can call a CGI script but should not have the db
access permissions required therein, something's wrong with
the entire design - back to drawing board. If the user is
already authenticated by Apache, why let PostgreSQL check the
password again?
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#========================================= wieck(at)debis(dot)com (Jan Wieck) #
| From | Date | Subject | |
|---|---|---|---|
| Next Message | José Soares | 1999-06-11 15:49:36 | Re: [SQL] unmatched |
| Previous Message | Giuseppe Tanzilli | 1999-06-11 09:53:02 | Re: [ADMIN] Apache authentication & PostgreSQL |