[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Q]: WWW authentication



Hi,

> 1. I've created a directory /home/httpd/cgi-priv
> 2. Introduced it to srm.conf:
> 
>    ScriptAlias /cgi-priv/ /home/httpd/cgi-priv/
> 
> 3. Put the following directives into access.conf:
> 
>    <Directory /home/httpd/cgi-priv>
>    AllowOverride None
>    Options ExecCGI
>    AuthType Basic
>    AuthUserFile /home/httpd/etc/cgi-priv.htpasswd
>    </Directory>
> 
> 4. Created the file /home/httpd/etc/cgi-priv.htpasswd and put a couple
>    of name:password pairs in it with 'htpasswd'.
> 5. Put the scripts in cgi-priv
> 6. Restarted the httpd.
>
>
> However, whenever I request some script from cgi-priv, the server just
> gives it to me wihout even trying to perform any kind of
> authentication.

In Apache, there is no protection mechanism for CGI directories. I can
think of a workaround:

1. Allow CGI execution from any place (probably with .cgi extension).
2. Put all your cgi-priv scripts into a regular Web directory, somewhere
under DOCUMENT_ROOT.
3. Protect this directory.

However, allowing CGI execution from any place is a potential security
hole, so it is advisable to look for a different solution.

When I write similar "protected" scripts, I do user authentication
myself. That is, when a user access a script for the first time, he is
presented with a login screen, and then authenticated users can proceed
further. User names and encrypted passwords are kept in a file similar
to .htaccess format. This is pretty simple, and I can send you Perl
example of it.
 
> And another question: I want to obtain a login name of a user running
> some script without making him enter such a name. You know, something
> analogous to the 'From:' field in SMTP... Yes, I realize it's not
> gonna be authorative and it is easy to fool the server with something
> special cooked. But still, how can I get such information?
> 
> In CGI.pm there is a method user_name() which is supposed to return
> something similar, but in my case it just returns an empty string...

There is nothing you can do about it. It is up to a browser and client
OS whether return USER_NAME or not. Besides, Windows clients usually do
not have any username, so what is there to return?

I've seen some JavaScript examples though which can grab user E-mail
address from Netscape's preferences file. This can be returned to the
server. However, I would consider this approach an intrusion on user
privacy.

You can reliably get user IP, OS, browser, sometimes host - all via CGI
variables, so your scripts may allow access based on this data. If you
are willing to go through additional trouble, you can also check user HW
address.

One more thing. If your privileged CGI programs do many different
things, there is a way for a malicious user to get around by supplying
necessary parameters on the command line instead of filling a form
supplied by the program. An easy (and good!) protection is to make use
of a new CGI variable which exists in Apache 1.3.X: UNIQUE_ID. It sets a
unique pseudo-random ID to every browser request, and this makes it easy
to track a user activities.

Hope this helps,

Andy

Dr Andy Tsouladze
Unix System Administrator
Motorola Communications Israel
mailto:andyt@mcil.comm.mot.com
mailto:andy@spl.co.il (old)
mailto:andy@environment.negev.k12.il
http://www.spl.co.il/~andy