Re: [ADMIN] Apache authentication & PostgreSQL - Mailing list pgsql-sql

Fomichev Mikhail wrote:

> Hi, all !
> I'm trying to show data from the PostgreSQL database to the Web page,
> using WWW-SQL. I want the users to get an access to the database from the
> browsers under their own names. To achieve this I configured Apache so
> that it would authenticate an user when the user enters the directory with
> CGI-scripts. I'd like that the name and the password of the user having
> been authenticated, will be used in CGI-script for the access to the
> database.
> I can get the user's name via environment variable $REMOTE_USER, wich is
> set by Apache.
>
> Now the question: is it possible to get the password, which the user has
> entered by the authentication ?
>
> I know one solution. But it requires hacking of Apache.

    Generally  it's  not such a bad idea to tell which version of
    Apache you're using.

    Anyway, if you have a 1.3.3, you must compile it with

        -D SECURITY_HOLE_PASS_AUTHORIZATION

    In  that  case,  Apache  will  set  an  environment  variable
    HTTP_AUTHORIZATON   whenever  it  sets  AUTH_TYPE.  That  is,
    whenever a cgi is accessed that is  protected  by  a  require
    directive so you need username/password to get it.

    The  variable  HTTP_AUTHORIZATION  contains the auth type and
    for "Basic" authentication "username:password" b64 encoded.

    As the define clearly states, it's a security hole.  If users
    are  allowed  to  use selfmade cgi's in their homepage, these
    can potentially steel passwords. And users might  also  steel
    passwords using 'ps -e'.

    Thus,  having  the username:password passed down into the cgi
    script is really only a last  resort.  In  general  your  CGI
    scripts  should use a pseudo user to contact the database. If
    someone can call a CGI script but  should  not  have  the  db
    access  permissions  required therein, something's wrong with
    the entire design - back to drawing board.  If  the  user  is
    already authenticated by Apache, why let PostgreSQL check the
    password again?


Jan

--

#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me.                                  #
#========================================= wieck@debis.com (Jan Wieck) #