Postgres Pro
Downloads
Home   >   mailing lists

Re: [ADMIN] Apache authentication & PostgreSQL - Mailing list pgsql-sql

From Fomichev Michael
Subject Re: [ADMIN] Apache authentication & PostgreSQL
Date
Msg-id Pine.LNX.4.04.9906151428400.3031-100000@ns.region.utsr
Whole thread Raw
In response to Re: [ADMIN] Apache authentication & PostgreSQL  (wieck@debis.com (Jan Wieck))
List pgsql-sql
Tree view 

On Fri, 11 Jun 1999, Jan Wieck wrote:

> Fomichev Mikhail wrote:
> 
> > Hi, all !
> > I'm trying to show data from the PostgreSQL database to the Web page,
> > using WWW-SQL. I want the users to get an access to the database from the
> > browsers under their own names. To achieve this I configured Apache so
> > that it would authenticate an user when the user enters the directory with
> > CGI-scripts. I'd like that the name and the password of the user having
> > been authenticated, will be used in CGI-script for the access to the
> > database.
> > I can get the user's name via environment variable $REMOTE_USER, wich is
> > set by Apache.
> >
> > Now the question: is it possible to get the password, which the user has
> > entered by the authentication ?
> >
> > I know one solution. But it requires hacking of Apache.
> 
>     Generally  it's  not such a bad idea to tell which version of
>     Apache you're using.
> 
I'm using 1.3.3 version.

>     Anyway, if you have a 1.3.3, you must compile it with
> 
>         -D SECURITY_HOLE_PASS_AUTHORIZATION
> 
>     In  that  case,  Apache  will  set  an  environment  variable
>     HTTP_AUTHORIZATON   whenever  it  sets  AUTH_TYPE.  That  is,
>     whenever a cgi is accessed that is  protected  by  a  require
>     directive so you need username/password to get it.
> 
>     The  variable  HTTP_AUTHORIZATION  contains the auth type and
>     for "Basic" authentication "username:password" b64 encoded.
> 
>     As the define clearly states, it's a security hole.  If users
>     are  allowed  to  use selfmade cgi's in their homepage, these
>     can potentially steel passwords. And users might  also  steel
>     passwords using 'ps -e'.
> 
>     Thus,  having  the username:password passed down into the cgi
>     script is really only a last  resort.  In  general  your  CGI
>     scripts  should use a pseudo user to contact the database. If
>     someone can call a CGI script but  should  not  have  the  db
>     access  permissions  required therein, something's wrong with
>     the entire design - back to drawing board.  If  the  user  is
>     already authenticated by Apache, why let PostgreSQL check the
>     password again?
> 
I want to give different access rights to the database for different
users (for select, for update, etc.). I can't do this using a pseudo user
to contact the database. In CGI script I can connect to the database with 
another username/password then a pseudo user, but I don't know the 
password of authenticated user. May be there is another way to do this ?

pgsql-sql by date:

Previous
From: Tom Lane
Date:
Subject: Re: [SQL] RE: [GENERAL] Two variable passed to PL/Function and on is NULL
Next
From: Vikrant Rathore
Date:
Subject: Mail about typecast