"Mark Lavi" <[EMAIL PROTECTED]> wrote: > 2) through the authentication module to the server environment as a > variable or a set of variables. > There is a document for Environment Variables in Apache (1.3x) > <http://httpd.apache.org/docs/env.html>, which discusses high level > usage in the server and there is Apache module mod_env > <http://httpd.apache.org/docs/mod/mod_env.html> which would show (in > it's source code) an example of how to create and set an Apache server > environment variable.
That scares me. Environment variables are global, and are permanent. e.g. mod_auth_radius sets environment variable FOO. If another module (or the server core) sees FOO, is it for the same request? Is it for a different request? Has FOO been sitting in the process space for days, or weeks? In general, data from a RADIUS response packet should be associated with a particular HTTP request, NOT with an httpd process. > The question should arise, what are the security risks in exposing the > RADIUS attribute information to the Apache server side environment? A lot, unless it's done carefully. > I believe the answer is that when the attributes are exposed only on an > accept-access packet, then we know we have an authenticated user from a > configured (and known) authenticated resource, so there is little risk > that this RADIUS resource is trying to attack the Apache server with > dangerous information such as a buffer overflow, executable code, etc. > > Do you agree? So long as those attributes disappear when the TCP connection goes down, yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
