Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
Hi! >> And if you don't run your virtual hosts as a spearate user, even with >> suexec there is a very small vulnerability window to grab the >> authentication data. That's why I understand the Apache people for not >> passing the Authorization header by default. > > There is not such a small window because suexec is setuid, Yes, sorry, I got mixed up with real and effective user ids with setuid (the setuid bit on an executable sets the effective user id, not the real user id to root, therefore /proc/pid/environ is not accessible for non-root users). Nevertheless, very few people actually use suexec. And even if people use suexec, nearly nobody compiles their own Apache binary. > Apache people set that compile flag off by default because suexec is by > far not a "default" feature. There is so many Apache setups out there > running everything with a single user, even some shared hosting providers. Even most of the shared hosting providers I'd guess... >> Or to always pass the Authorization header at module level (which I also >> proposed). > > CGI/FastCGI processes are not designed to parse HTTP headers, we should > not pass them more headers. But if you mean always converting the > Authorization header to its HTTP_ corresponding environment variable, I > think it is safe to do so. Yes, I meant that. Regards, Christian - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
On 07/12/2008 12:14:21 AM +0200, Christian Seiler <[EMAIL PROTECTED]> wrote: > Hi, > >> I compile my server binaries and never rely on pre-compiled versions; I >> _never_ imagined using Apache without suexec which IMHO is a complete >> nonsense and should be a default behavior. Finally I never imagined >> running any virtualhost with the Apache user. That way, running Apache >> compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe. > > What do you mean by not using the Apache user? I know there are several > MPMs back there that do what mpm_perchild should have done, but they > have (as far as I can tell) some major drawbacks themselves (for > example, at least one has to run the mod_ssl code as root which is > really bad should there be a buffer overflow). I mean any CGI/FastCGI/executables of some kind must not run as the same user apache children run. This easy to do: just set the suexecusergroup directive inside the default virtualhost (or the first) with a different user as the User directive. I am not talking about static content which is harmless to run as the same user. > > And if you don't run your virtual hosts as a spearate user, even with > suexec there is a very small vulnerability window to grab the > authentication data. That's why I understand the Apache people for not > passing the Authorization header by default. There is not such a small window because suexec is setuid, thus AFAIK the environment is passed when the process memory footprint is already owned by root. Besides, that environment is only readable by the apache user, who in a correct suexec setup doesn't run any CGI directly (it only runs apache children). Obviously, that Apache user must be a dedicated user, and not a generic anonymous user which multiple applications are running under. (i.e. If your "nobody" user is only used by Apache processes, it's OK) Apache people set that compile flag off by default because suexec is by far not a "default" feature. There is so many Apache setups out there running everything with a single user, even some shared hosting providers. > >> It is then better to keep the default apache >> configuration safe by _not_ opening such security issues and applying >> the patch you proposed directly at the module level. > > Or to always pass the Authorization header at module level (which I also > proposed). CGI/FastCGI processes are not designed to parse HTTP headers, we should not pass them more headers. But if you mean always converting the Authorization header to its HTTP_ corresponding environment variable, I think it is safe to do so. Gabriel - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
Hi, > I compile my server binaries and never rely on pre-compiled versions; I > _never_ imagined using Apache without suexec which IMHO is a complete > nonsense and should be a default behavior. Finally I never imagined > running any virtualhost with the Apache user. That way, running Apache > compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe. What do you mean by not using the Apache user? I know there are several MPMs back there that do what mpm_perchild should have done, but they have (as far as I can tell) some major drawbacks themselves (for example, at least one has to run the mod_ssl code as root which is really bad should there be a buffer overflow). And if you don't run your virtual hosts as a spearate user, even with suexec there is a very small vulnerability window to grab the authentication data. That's why I understand the Apache people for not passing the Authorization header by default. > It is then better to keep the default apache > configuration safe by _not_ opening such security issues and applying > the patch you proposed directly at the module level. Or to always pass the Authorization header at module level (which I also proposed). Regards, Christian - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
Hi On 07/11/2008 11:10:56 PM +0200, Christian Seiler <[EMAIL PROTECTED]> wrote: >> I have an application that I'd like to switch to mod_fcgid, but >> unfortunately it doesn't work as I wanted it to. the (php) application >> uses basic authentication (not in apache but in php) but the entered >> information is definitely not sent down to the application with >> mod_fcgid. > > I already said something on this topic on this mailing list but somehow > I didn't provoke much feedback at all. I reacted on that topic :-). I only felt that patch wasn't necessary because Apache could already be compiled with authorization passthrough. > > Anyway, have a look at the following postings: > > http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00161.html > http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00163.html I compile my server binaries and never rely on pre-compiled versions; I _never_ imagined using Apache without suexec which IMHO is a complete nonsense and should be a default behavior. Finally I never imagined running any virtualhost with the Apache user. That way, running Apache compiled with SECURITY_HOLE_PASS_AUTHORIZATION is completely safe. That said, I didn't realize before that the majority of apache users are using pre-compiled distribution binaries, don't look at the config files and only rely on automatic tools. Some users don't even know how to compile a simple C program or have heard of that "security voodoo thing called suexec". (Many Linux/LAMP system admins are overrated). It is then better to keep the default apache configuration safe by _not_ opening such security issues and applying the patch you proposed directly at the module level. > If the patch still applies to the current code base (I haven't tried > it), you can use it in combination with > > PassHeader Authorization > > in order to make sure PHP gets the necessary authentication information. Don't worry, the codebase hasn't changed much, I think your patch can still be applied. But although I am following the code changes very closely, I can't apply it to the upstream (I work on my own local branch, and I am unfortunately not the maintainer). I don't know if they are even still active. > PS: Just as a side note, mod_fastcgi has exactly the same problem and I > got even less reaction when posting a patch there: > > http://fastcgi.com/archives/fastcgi-developers/2007-November/004890.html > http://fastcgi.com/archives/fastcgi-developers/2007-December/004902.html > > Seems like all FastCGI implementations for Apache known to me have no > interest at all in this issue. mod_fastcgi is deader than mod_fcgid, and there is very few people willing (or able to) to help or contribute to such a module. But I believe there is many silent users. Feedbacks of such users could be very interesting. Gabriel - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
Hi! > I have an application that I'd like to switch to mod_fcgid, but > unfortunately it doesn't work as I wanted it to. the (php) application > uses basic authentication (not in apache but in php) but the entered > information is definitely not sent down to the application with > mod_fcgid. I already said something on this topic on this mailing list but somehow I didn't provoke much feedback at all. Anyway, have a look at the following postings: http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00161.html http://www.mail-archive.com/mod-fcgid-users%40lists.sourceforge.net/msg00163.html If the patch still applies to the current code base (I haven't tried it), you can use it in combination with PassHeader Authorization in order to make sure PHP gets the necessary authentication information. Regards, Christian PS: Just as a side note, mod_fastcgi has exactly the same problem and I got even less reaction when posting a patch there: http://fastcgi.com/archives/fastcgi-developers/2007-November/004890.html http://fastcgi.com/archives/fastcgi-developers/2007-December/004902.html Seems like all FastCGI implementations for Apache known to me have no interest at all in this issue. - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
Re: [Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
On Fri, 2008-07-11 at 20:16 +0200, Wolfgang Hennerbichler wrote: > Hi people, > > I have an application that I'd like to switch to mod_fcgid, but > unfortunately it doesn't work as I wanted it to. the (php) application > uses basic authentication (not in apache but in php) but the entered > information is definitely not sent down to the application with > mod_fcgid. This is a feature of Apache itself. Your PHP script should look at the REMOTE_USER environment variable to determine the authenticated user. If the script insists on doing the authorisation itself then you may be able to get Apache to pass through the correct headers by using mod_rewrite; see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=483219#12> for details. -- Sam Morris http://robots.org.uk/ PGP key id 1024D/5EA01078 3412 EA18 1277 354B 991B C869 B219 7FDB 5EA0 1078 signature.asc Description: This is a digitally signed message part - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users
[Mod-fcgid-users] basic authentication in php is not passed through mod_fcgid
Hi people, I have an application that I'd like to switch to mod_fcgid, but unfortunately it doesn't work as I wanted it to. the (php) application uses basic authentication (not in apache but in php) but the entered information is definitely not sent down to the application with mod_fcgid. I've configured it like this - where I assumed it should work (which it doesn't, unfortunately): SuexecUserGroup wolf users Options +ExecCGI AddHandler fcgid-script .php FCGIWrapper /var/www/wolf/php_conf/php5-fcgid.nosafe .php FastCgiAuthorizerAuthoritative Off FastCgiAuthenticatorAuthoritative Off FastCgiAccessCheckerAuthoritative Off I'm using mod_fcgid version 1.10-2 (debian stable) and tried 2.2-1 (debian testing). Any help would really be appreciated. Thanks, wogri -- http://eye-got.com/NyF8GFp http://www.wogri.com http://www.einradfilm.at - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Mod-fcgid-users mailing list Mod-fcgid-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-fcgid-users