Thread: Apache authentication & PostgreSQL
Hi, all ! I'm trying to show data from the PostgreSQL database to the Web page, using WWW-SQL. I want the users to get an access to the database from the browsers under their own names. To achieve this I configured Apache so that it would authenticate an user when the user enters the directory with CGI-scripts. I'd like that the name and the password of the user having been authenticated, will be used in CGI-script for the access to the database. I can get the user's name via environment variable $REMOTE_USER, wich is set by Apache. Now the question: is it possible to get the password, which the user has entered by the authentication ? I know one solution. But it requires hacking of Apache. Thanks for any suggestions. @------------------+-----------------------------------------------@ | Fomichev Mikhail | The Government of Kamchatka region. | | Vladimirovich | The Labour and Social Development Department. | |<fomichev@null.ru>| | @------------------+-----------------------------------------------@
> Hi, all ! > I'm trying to show data from the PostgreSQL database to the Web page, > using WWW-SQL. I want the users to get an access to the database from the > browsers under their own names. To achieve this I configured Apache so > that it would authenticate an user when the user enters the directory with > CGI-scripts. I'd like that the name and the password of the user having > been authenticated, will be used in CGI-script for the access to the > database. > I can get the user's name via environment variable $REMOTE_USER, wich is > set by Apache. > > Now the question: is it possible to get the password, which the user has > entered by the authentication ? > > I know one solution. But it requires hacking of Apache. > > Thanks for any suggestions. I'm not a good guy at programming, so my advice is rather simple -try do it using php (You need compile it as Apache module with Postgres support) - there is then very nice way to get user password and login. If You do it this way I can give You some tips or examples of code in phpRem -------------------------------------------------------------------*------------ Remigiusz Sokolowski e-mail: rems@gdansk.sprint.pl * * -----------------------------------------------------------------*****----------
On 11-Jun-99 Fomichev Michael wrote: > Hi, all ! > I'm trying to show data from the PostgreSQL database to the Web page, > using WWW-SQL. I want the users to get an access to the database from the > browsers under their own names. To achieve this I configured Apache so > that it would authenticate an user when the user enters the directory with > CGI-scripts. I'd like that the name and the password of the user having > been authenticated, will be used in CGI-script for the access to the > database. > I can get the user's name via environment variable $REMOTE_USER, wich is > set by Apache. > > Now the question: is it possible to get the password, which the user has > entered by the authentication ? > > I know one solution. But it requires hacking of Apache. > > Thanks for any suggestions. > Perhaps try to use mod_perl with Apache::AuthenDBI and Apache::Authz ?! Ciao... -- E-Mail: Volker Hess <Volker.Hess@avmz.uni-siegen.de> Uni-GH Siegen . Medienzentrum 57068 Siegen MZ: http://www.avmz.uni-siegen.de/ - SINFO: http:/www.uni-siegen.de/ MEDIAS: http://medias.avmz.uni-siegen.de/ - UNI-MEDIA: http://www.uni-media.de/
Hello, try to use the apache/postgresql authentication module ftp://ftp.eurolink.it/pub/linux/postgreSQL bye Fomichev Michael wrote: > Hi, all ! > I'm trying to show data from the PostgreSQL database to the Web page, > using WWW-SQL. I want the users to get an access to the database from the > browsers under their own names. To achieve this I configured Apache so > that it would authenticate an user when the user enters the directory with > CGI-scripts. I'd like that the name and the password of the user having > been authenticated, will be used in CGI-script for the access to the > database. > I can get the user's name via environment variable $REMOTE_USER, wich is > set by Apache. > > Now the question: is it possible to get the password, which the user has > entered by the authentication ? > > I know one solution. But it requires hacking of Apache. > > Thanks for any suggestions. > > @------------------+-----------------------------------------------@ > | Fomichev Mikhail | The Government of Kamchatka region. | > | Vladimirovich | The Labour and Social Development Department. | > |<fomichev@null.ru>| | > @------------------+-----------------------------------------------@ -- -----------------------------------------------------------------Giuseppe Tanzilli Flashnet S.p.A. Telecomunicazionimailto:g.tanzilli@flashnet.it Sede di FrosinoneEurolink S.r.l. mailto: info.frosinone@flashnet.itTel:+39-0775-830012 http://www.flashnet.itFax: +39-0775-201321 EUnet BusinessPartnerhttp://www.eurolink.it AIIP and ANFOV associatedPGP Key: finger giuseppe@king.fr.flashnet.it -------------------------------------------------------------------
Fomichev Mikhail wrote:
> Hi, all !
> I'm trying to show data from the PostgreSQL database to the Web page,
> using WWW-SQL. I want the users to get an access to the database from the
> browsers under their own names. To achieve this I configured Apache so
> that it would authenticate an user when the user enters the directory with
> CGI-scripts. I'd like that the name and the password of the user having
> been authenticated, will be used in CGI-script for the access to the
> database.
> I can get the user's name via environment variable $REMOTE_USER, wich is
> set by Apache.
>
> Now the question: is it possible to get the password, which the user has
> entered by the authentication ?
>
> I know one solution. But it requires hacking of Apache.
Generally it's not such a bad idea to tell which version of
Apache you're using.
Anyway, if you have a 1.3.3, you must compile it with
-D SECURITY_HOLE_PASS_AUTHORIZATION
In that case, Apache will set an environment variable
HTTP_AUTHORIZATON whenever it sets AUTH_TYPE. That is,
whenever a cgi is accessed that is protected by a require
directive so you need username/password to get it.
The variable HTTP_AUTHORIZATION contains the auth type and
for "Basic" authentication "username:password" b64 encoded.
As the define clearly states, it's a security hole. If users
are allowed to use selfmade cgi's in their homepage, these
can potentially steel passwords. And users might also steel
passwords using 'ps -e'.
Thus, having the username:password passed down into the cgi
script is really only a last resort. In general your CGI
scripts should use a pseudo user to contact the database. If
someone can call a CGI script but should not have the db
access permissions required therein, something's wrong with
the entire design - back to drawing board. If the user is
already authenticated by Apache, why let PostgreSQL check the
password again?
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#========================================= wieck@debis.com (Jan Wieck) #
On Fri, 11 Jun 1999, Jan Wieck wrote: > Fomichev Mikhail wrote: > > > Hi, all ! > > I'm trying to show data from the PostgreSQL database to the Web page, > > using WWW-SQL. I want the users to get an access to the database from the > > browsers under their own names. To achieve this I configured Apache so > > that it would authenticate an user when the user enters the directory with > > CGI-scripts. I'd like that the name and the password of the user having > > been authenticated, will be used in CGI-script for the access to the > > database. > > I can get the user's name via environment variable $REMOTE_USER, wich is > > set by Apache. > > > > Now the question: is it possible to get the password, which the user has > > entered by the authentication ? > > > > I know one solution. But it requires hacking of Apache. > > Generally it's not such a bad idea to tell which version of > Apache you're using. > I'm using 1.3.3 version. > Anyway, if you have a 1.3.3, you must compile it with > > -D SECURITY_HOLE_PASS_AUTHORIZATION > > In that case, Apache will set an environment variable > HTTP_AUTHORIZATON whenever it sets AUTH_TYPE. That is, > whenever a cgi is accessed that is protected by a require > directive so you need username/password to get it. > > The variable HTTP_AUTHORIZATION contains the auth type and > for "Basic" authentication "username:password" b64 encoded. > > As the define clearly states, it's a security hole. If users > are allowed to use selfmade cgi's in their homepage, these > can potentially steel passwords. And users might also steel > passwords using 'ps -e'. > > Thus, having the username:password passed down into the cgi > script is really only a last resort. In general your CGI > scripts should use a pseudo user to contact the database. If > someone can call a CGI script but should not have the db > access permissions required therein, something's wrong with > the entire design - back to drawing board. If the user is > already authenticated by Apache, why let PostgreSQL check the > password again? > I want to give different access rights to the database for different users (for select, for update, etc.). I can't do this using a pseudo user to contact the database. In CGI script I can connect to the database with another username/password then a pseudo user, but I don't know the password of authenticated user. May be there is another way to do this ?
Fomichev Michael <fomichev@null.ru> writes: > I want to give different access rights to the database for different > users (for select, for update, etc.). I can't do this using a pseudo user > to contact the database. In CGI script I can connect to the database with > another username/password then a pseudo user, but I don't know the > password of authenticated user. May be there is another way to do this ? Do you really need to set up password on the database level? As Jan told you since an authentification is made on the apache level you know when your CGI is executed that the user entered the right password so you can create on the database level the same users you use in apache but with no passwd or with dummy passwords. -- Christophe Labouisse : Cinéma, typographie, Unix christophe.labouisse@dial.oleane.com http://www.multimania.com/gabuzo/ Le cinéma en Lumière : http://www.lumiere.org/