You are viewing a plain text version of this content. The canonical link for it is here.

Posted to embperl@perl.apache.org by Scott Chapman <sc...@mischko.com> on 2001/11/05 17:56:08 UTC

How to get authenticated username in Embperl?

If I have a user authenticate against a apache password file, how 
do I get the userid that is authenticated?  I understand that 
environment variables are not a reliable way of doing this because 
they might be spoofed.

Is there a way using $r that I can do this in a more secure fashion?

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: How to get authenticated username in Embperl?

Posted by Gerald Richter <ri...@ecos.de>.

> On Mon, 5 Nov 2001, Gerald Richter wrote:
>
> > environment variables are secure as long as your server isn't
compromised,
> > because they are directly controlled and set by Apache (or any other
> > Webserver)
>
> So long as you don't have untrusted users with shell access on your
> system, which have access to execute the web pages from their shell with
> sufficient privs to do their web page functions.
>

That's true

Gerald



-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: How to get authenticated username in Embperl?

Posted by Ed Grimm <ed...@asgard.rsc.raytheon.com>.

On Mon, 5 Nov 2001, Gerald Richter wrote:

> environment variables are secure as long as your server isn't compromised,
> because they are directly controlled and set by Apache (or any other
> Webserver)

So long as you don't have untrusted users with shell access on your
system, which have access to execute the web pages from their shell with
sufficient privs to do their web page functions.

If that assumption does not hold, you're, in general, ... err, better not
say that word on the corporate mail server...  In any event, if that
assumption does not hold, it's your admin staff at fault, and embperl is
just one of many avenues they can exploit you.  (Ok, it could be
management disallowing the admin staff to secure the system.  In that
situation, the admin staff are still at fault, for not fleeing like rats
from a sinking ship, thus causing the systems to become secure because
they're powered off.)

Run a tight ship, and Gerald is perfectly correct.  (However, they're
still not secure enough to keep passwords or something in them as they
can be seen by unpriviledged users on most OSes, using the ps(1)
command.)

Ed Grimm

---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org

Re: How to get authenticated username in Embperl?

Posted by Gerald Richter <ri...@ecos.de>.

> If I have a user authenticate against a apache password file, how
> do I get the userid that is authenticated?  I understand that
> environment variables are not a reliable way of doing this because
> they might be spoofed.
>
> Is there a way using $r that I can do this in a more secure fashion?
>

If you are running under mod_perl you can use

$userid = $req_rec -> connection -> user ;

otherwise use

$userid = $ENV{REMOTE_USER} ;

environment variables are secure as long as your server isn't compromised,
because they are directly controlled and set by Apache (or any other
Webserver)

Gerald




-------------------------------------------------------------
Gerald Richter    ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting

Post:       Tulpenstrasse 5         D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de         Voice:    +49 6133 925131
WWW:        http://www.ecos.de      Fax:      +49 6133 925152
-------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org