httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Passing passwords to CGI
Date Thu, 05 Aug 1999 09:46:39 GMT
Dirk-Willem van Gulik wrote:

> I fear that by the time you allow something spawned from apache to get at
> the password, be it by and env() variable, or on the STDIN, in either case
> you have already a hole so big that you _have_ to trust esentially all
> users which can enter commands.

I agree that there are security issues, but the problem is that because
there is no way of getting passwords out of Apache safely, CGIs must
resort to cookies (which are passed via the environment), or tacked onto
the URI (which are passed in the environment) to solve the problem -
both of which are unsafe techniques.

This doesn't however remove the need for some CGIs in some installations
from knowing the password. It should be ensure that it's possible for a
CGI to get the password where it should, but it should be impossible for
a password to be retrieved by either a rogue CGI or a normal user on the
box.

The lack of a password passing mechanism also introduces a greater
security risk, because it means I must bind to my LDAP or other database
with "system" priveledges built into the CGI, which could be compromised
in the case of a system bug, or a user read access to the CGI.

> I just think that the problem it is not worth such a hacky trick; a normal
> directive is about as far as I would go.

The suggestion that extra "private" information be included after the
POST data seems to sound quite good. This information would only be sent
to CGIs or CGI directories specifically defined in the httpd.conf file,
which is under administrator control anyway.

By default, the behavior would be switched off, so default and existing
systems would not be compromised by the new addition. It could be
enabled only via a directive actively put there by an admin who would be
warned in the docs and config file about the consequences of what they
were doing.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm		"There's a moon
					over Bourbon Street
						tonight...

Mime
View raw message