Fomichev Mikhail wrote:
> Hi, all !
> I'm trying to show data from the PostgreSQL database to the Web page,
> using WWW-SQL. I want the users to get an access to the database from the
> browsers under their own names. To achieve this I configured Apache so
> that it would authenticate an user when the user enters the directory with
> CGI-scripts. I'd like that the name and the password of the user having
> been authenticated, will be used in CGI-script for the access to the
> database.
> I can get the user's name via environment variable $REMOTE_USER, wich is
> set by Apache.
>
> Now the question: is it possible to get the password, which the user has
> entered by the authentication ?
>
> I know one solution. But it requires hacking of Apache.
Generally it's not such a bad idea to tell which version of
Apache you're using.
Anyway, if you have a 1.3.3, you must compile it with
-D SECURITY_HOLE_PASS_AUTHORIZATION
In that case, Apache will set an environment variable
HTTP_AUTHORIZATON whenever it sets AUTH_TYPE. That is,
whenever a cgi is accessed that is protected by a require
directive so you need username/password to get it.
The variable HTTP_AUTHORIZATION contains the auth type and
for "Basic" authentication "username:password" b64 encoded.
As the define clearly states, it's a security hole. If users
are allowed to use selfmade cgi's in their homepage, these
can potentially steel passwords. And users might also steel
passwords using 'ps -e'.
Thus, having the username:password passed down into the cgi
script is really only a last resort. In general your CGI
scripts should use a pseudo user to contact the database. If
someone can call a CGI script but should not have the db
access permissions required therein, something's wrong with
the entire design - back to drawing board. If the user is
already authenticated by Apache, why let PostgreSQL check the
password again?
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#========================================= wieck@debis.com (Jan Wieck) #