[Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid

[Wolfgang Hennerbichler]

Hi people,

I have an application that I'd like to switch to mod_fcgid, but  
unfortunately it doesn't work as I wanted it to. the (php) application  
uses basic authentication (not in apache but in php) but the entered  
information is definitely not sent down to the application with  
mod_fcgid.
I've configured it like this - where I assumed it should work (which  
it doesn't, unfortunately):

  SuexecUserGroup wolf users
  Directory /var/www/wolf/public_html/
Options +ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /var/www/wolf/php_conf/php5-fcgid.nosafe .php
FastCgiAuthorizerAuthoritative Off
FastCgiAuthenticatorAuthoritative Off
FastCgiAccessCheckerAuthoritative Off
  /Directory

I'm using mod_fcgid version 1.10-2  (debian stable) and tried 2.2-1  
(debian testing). Any help would really be appreciated.

Thanks,
wogri

-- 
http://eye-got.com/NyF8GFp
http://www.wogri.com
http://www.einradfilm.at


-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
Mod-fcgid-users mailing list
Mod-fcgid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users

Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid

[Christian Seiler]

Hi,

 I compile my server binaries and never rely on pre-compiled versions; I 
 _never_ imagined using Apache without suexec which IMHO is a complete 
 nonsense and should be a default behavior. Finally I never imagined 
 running any virtualhost with the Apache user. That way, running Apache 
 compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe.

What do you mean by not using the Apache user? I know there are several
MPMs back there that do what mpm_perchild should have done, but they
have (as far as I can tell) some major drawbacks themselves (for
example, at least one has to run the mod_ssl code as root which is
really bad should there be a buffer overflow).

And if you don't run your virtual hosts as a spearate user, even with
suexec there is a very small vulnerability window to grab the
authentication data. That's why I understand the Apache people for not
passing the Authorization header by default.

 It is then better to keep the default apache 
 configuration safe by _not_ opening such security issues and applying 
 the patch you proposed directly at the module level.

Or to always pass the Authorization header at module level (which I also
proposed).

Regards,
Christian

-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
Mod-fcgid-users mailing list
Mod-fcgid-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users