Re: [ADMIN] Apache authentication & PostgreSQL
| От | Fomichev Michael |
|---|---|
| Тема | Re: [ADMIN] Apache authentication & PostgreSQL |
| Дата | |
| Msg-id | Pine.LNX.4.04.9906151428400.3031-100000@ns.region.utsr обсуждение исходный текст |
| Ответ на | Re: [ADMIN] Apache authentication & PostgreSQL (wieck@debis.com (Jan Wieck)) |
| Список | pgsql-sql |
On Fri, 11 Jun 1999, Jan Wieck wrote: > Fomichev Mikhail wrote: > > > Hi, all ! > > I'm trying to show data from the PostgreSQL database to the Web page, > > using WWW-SQL. I want the users to get an access to the database from the > > browsers under their own names. To achieve this I configured Apache so > > that it would authenticate an user when the user enters the directory with > > CGI-scripts. I'd like that the name and the password of the user having > > been authenticated, will be used in CGI-script for the access to the > > database. > > I can get the user's name via environment variable $REMOTE_USER, wich is > > set by Apache. > > > > Now the question: is it possible to get the password, which the user has > > entered by the authentication ? > > > > I know one solution. But it requires hacking of Apache. > > Generally it's not such a bad idea to tell which version of > Apache you're using. > I'm using 1.3.3 version. > Anyway, if you have a 1.3.3, you must compile it with > > -D SECURITY_HOLE_PASS_AUTHORIZATION > > In that case, Apache will set an environment variable > HTTP_AUTHORIZATON whenever it sets AUTH_TYPE. That is, > whenever a cgi is accessed that is protected by a require > directive so you need username/password to get it. > > The variable HTTP_AUTHORIZATION contains the auth type and > for "Basic" authentication "username:password" b64 encoded. > > As the define clearly states, it's a security hole. If users > are allowed to use selfmade cgi's in their homepage, these > can potentially steel passwords. And users might also steel > passwords using 'ps -e'. > > Thus, having the username:password passed down into the cgi > script is really only a last resort. In general your CGI > scripts should use a pseudo user to contact the database. If > someone can call a CGI script but should not have the db > access permissions required therein, something's wrong with > the entire design - back to drawing board. If the user is > already authenticated by Apache, why let PostgreSQL check the > password again? > I want to give different access rights to the database for different users (for select, for update, etc.). I can't do this using a pseudo user to contact the database. In CGI script I can connect to the database with another username/password then a pseudo user, but I don't know the password of authenticated user. May be there is another way to do this ?
В списке pgsql-sql по дате отправления: