httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: Passing passwords to CGI
Date Wed, 04 Aug 1999 13:49:11 GMT
Dirk-Willem van Gulik wrote:

> I think that the point is; it is potentially bad on a multi user system
> where you might not trust all and everyone, to let the password enter
> the less controlled cgi/ssi etc environment.

I agree, yes - but at the same time it stops CGIs that need the password
from being able to work. It's not hard to design this so that the CGIs
that get the password are specifically listed in a config file. This
would only be enabled where necessary, and this "hole" would only be
introduced specifically by the administrator, just like the compile

> Once you are convinced that you need it in that environment, and that it
> is a good tradeooff you can as well recompile with the GAPING-BIG-SECURITY
> hole settings.
> IMHO Your POST is just a work around the fact that you have to re-compile.

True, yes, but also to prevent passwords being picked up by ps -e by
people on the box.

-----------------------------------------		"There's a moon
					over Bourbon Street

View raw message