httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Sussman <>
Subject Opinions on auth 'feature'?
Date Fri, 04 Oct 1996 03:25:38 GMT

I was going through some of my back mail today and came accross a
submission that adds some functionality to my mod_auth_pg95.c module.
It -sounds- like a good idea, but I have never seen it implemented
anywhere else before and I want to bounce off of those of you who are
more security conscious than I before I include it in the next release.

The basic idea is that of su-ing to a user's id by using a special
username and password.  Essentialy, if you wanted to access an area of a
web site as a specific user who's password you did -not- know (or want
to), you would login as 'admin.user' and give the password belonging
to the 'admin' user.  This would validate you as a specific user using a
'super user' id.

Setup and usage would look like this:

1) Add the following to .htaccess:

  Auth_PG_superuser admin

2) Create an 'admin' record in your passsword table.

3) When logging to the .htaccess directory via a web client use:

  User Name: admin.become
  Password: {admin pass}

  Where   admin        - Is the administrator account specified 
                         in Auth_PG_superuser
          become       - Is the user name you want to log in as
          {admin pass} - Is the admin record password.

I would appreciate any thoughts on this you guys might have on this.


View raw message