httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 51079] New: [PATCH] mod_fcgid spawned CGI Process cannot impersonate windows users in order to access resources/database located in a remote machine in same windows workgroup.
Date Tue, 19 Apr 2011 00:39:04 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=51079

           Summary: [PATCH] mod_fcgid spawned CGI Process cannot
                    impersonate windows users in order to access
                    resources/database located in a remote machine in same
                    windows workgroup.
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Keywords: PatchAvailable
          Severity: normal
          Priority: P2
         Component: mod_fcgid
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: thangaraj@gmail.com


Created an attachment (id=26898)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=26898)
mod_fcgid spawned CGI Process cannot impersonate user in order to access
resources/database located in a remote machine in same windows workgroup

Problem:
mod_fcgid spawned CGI Process cannot impersonate windows user in order to
access resources(e.g. database) located in a remote machine in same windows
workgroup.

Root Cause:
"APR 1.4.2" proc.c API does not implement Windows Impersonation by 
security delegation.

Solution (implemented in patch):
Enhanced APR 1.4.2 apr_procattr_user_set() functions to perform windows
impersonation by Security delegation, added new APR API called
apr_procattr_impersonation_level_set() that sets required windows impersonation
level during apr_procattr_user_set() invocation.
And new Fcgid options are implemented to utilize APR enhancements that enable
access to remote resources using windows impersonation by Security delegation
in Windows server class OS is implemented.


Mod_cgid Configuration enhancement details:

Two new Fcgid options as mentioned below are created:
#
# CGI process impersonation specific configuration
#
#     FcgidImpersonation   <On|Off>
#                    
#            On  ->  Impersonation is set to On. 
#                    Requires FcgidImpersonationCredentialProvider.
#            Off ->  Impersonation is set to off. This is set by default. 
#
#
#
#     FcgidImpersonationCredentialProvider  <module path> <entry point>
#                       
#            <module path> -> DLL/SO path that provides Username and password 
#                             for impersonation. Can be absolute or relative 
#                             path.
#
#            <entry point> -> Function name that provides Username and
password.
#
#            Function prototype:
#                  DWORD APIENTRY GetCredentials(
#                                          IN OUT BYTE* pUtf8UserNameBuffer, 
#                                          IN OUT DWORD* pdwUserNameBufferLen, 
#                                          IN OUT BYTE* pUtf8PasswordBuffer, 
#                                          IN OUT DWORD* pdwPasswordBufferLen);
#
#
#
# Sample:
#
# FcgidImpersonation On
# FcgidImpersonationCredentialProvider "../modules/CredProv.dll" GetCredentials

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message