You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "D'Arcy J.M. Cain" <da...@Vex.Net> on 2013/02/25 18:19:28 UTC
[users@httpd] Using PostgreSQL auth - user permissions
Please see the message I sent a few minutes ago re: "Unable to open
logs" if you need more information about my system than I have included
here.
I have recently upgraded to Apache 2.4, suExec and dbd authentication
with PostgreSQL. This is on a system with multiple users. Here is an
example virtual host entry:
<VirtualHost 98.158.134.24:80>
ServerName admin.occ4u.org
DocumentRoot /u/WEB/Misc/OCC_Admin
ServerAdmin webmaster@vex.net
SuexecUserGroup darcy vex
DBDriver pgsql
DBDParams "host=localhost dbname=occ user=occ"
DBDPersist off
<Directory /u/WEB/Misc/OCC_Admin>
AuthType Basic
AuthName "OCC database Administration"
Require valid-user
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT raw(person_pass) FROM person \
WHERE person_login = %s AND \
person_active = 't'"
</Directory>
</VirtualHost>
This fails because the connection is made as nobody, the user that the
server itself runs as. The database makes an ident call for occ and
fails of course.
Currently my solution is to either make the database trust any
connections from itself or make the password files world readable.
Neither of these seems very secure. I tried adding a User directive in
the virtual host but that just crashed Apache with a config error
sending me on a five minute reboot (Unable to open logs - see previous
message.)
Database connections from the web site are fine since suExec runs the
scripts as occ. Is there any way to make the dbd connection run as occ
as well?
Thanks for any help.
--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:darcy@Vex.Net
Voip: sip:darcy@Vex.Net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using PostgreSQL auth - user permissions
Posted by "D'Arcy J.M. Cain" <da...@Vex.Net>.
On Mon, 25 Feb 2013 12:19:28 -0500
"D'Arcy J.M. Cain" <da...@Vex.Net> wrote:
> Database connections from the web site are fine since suExec runs the
> scripts as occ. Is there any way to make the dbd connection run as
> occ as well?
If this is simply not possible, a quick note to that effect would
really be appreciated so that I can start working around this
limitation of Apache. If someone actually has this working properly
that would also be nice to know so that I can keep working on it.
--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:darcy@Vex.Net
Voip: sip:darcy@Vex.Net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using PostgreSQL auth - user permissions
Posted by "D'Arcy J.M. Cain" <da...@Vex.Net>.
On Mon, 25 Feb 2013 12:19:28 -0500
"D'Arcy J.M. Cain" <da...@Vex.Net> wrote:
> I have recently upgraded to Apache 2.4, suExec and dbd authentication
> with PostgreSQL. This is on a system with multiple users. Here is an
> example virtual host entry:
Pardon my followup to my own message but I realized that I gave a bad
example. This one uses the same user for SuexecUserGroup and DBDParams
and still has the same problem.
<VirtualHost 98.158.134.4:80>
ServerName admin.bigsmokemusic.com
DocumentRoot /u/WEB/bigsmoke/admin
ServerAdmin webmaster@vex.net
SuexecUserGroup bigsmoke bigsmoke
DBDriver pgsql
DBDParams "dbname=bigsmoke user=bigsmoke"
DBDPersist off
<Directory /u/WEB/bigsmoke/admin>
AuthType Basic
AuthName "Big Smoke Music Administration"
Require valid-user
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT person_pass FROM pperson \
WHERE person_login = %s"
</Directory>
</VirtualHost>
--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:darcy@Vex.Net
Voip: sip:darcy@Vex.Net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using PostgreSQL auth - user permissions
Posted by "D'Arcy J.M. Cain" <da...@Vex.Net>.
On Thu, 28 Feb 2013 17:02:37 +0000
Tom Evans <te...@googlemail.com> wrote:
> >> I think the password for the user that connects to the DB should
> >> also be declared here like:
> >
> > I have two problems with that. I don't know all of my user's
> > passwords and I don't want to store clear text passwords in the
> > configs.
>
> I think you're going to have great difficulties getting Apache to
> query a database you cannot supply the credentials for..
Well, it already does that just fine with identd. The user scripts,
running as the user thanks to suExec, open and query their own database
just fine. It's only the dbd auth that doesn't work.
> Can you not create a specific role user that can access each user's
You mean a superuser account?
> DB. That way, you would not need to specify their password in the conf
> file, just your role users password. The conf file can also be only
> readable by root for on disk security.
Config files are managed with SVN so copies sit around in many places.
I am just a little disappointed that Apache goes through all the
trouble of supplying suExec and locking it down so well and yet it
still requires that I store passwords on disk or make passwords (even
encrypted) world readable. Similar issue with mod_php. Even though the
site runs as the user, mod_php still runs as nobody so data files need
to be world writable.
--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:darcy@Vex.Net
Voip: sip:darcy@Vex.Net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using PostgreSQL auth - user permissions
Posted by Tom Evans <te...@googlemail.com>.
On Thu, Feb 28, 2013 at 4:46 AM, D'Arcy J.M. Cain <da...@vex.net> wrote:
> On Thu, 28 Feb 2013 13:04:21 +1100
> Igor Cicimov <ic...@gmail.com> wrote:
>> > I have recently upgraded to Apache 2.4, suExec and dbd
>> > authentication with PostgreSQL. This is on a system with multiple
>> > users. Here is an example virtual host entry:
>> >
>> > <VirtualHost 98.158.134.24:80>
>> > ServerName admin.occ4u.org
>> > DocumentRoot /u/WEB/Misc/OCC_Admin
>> > ServerAdmin webmaster@vex.net
>> > SuexecUserGroup darcy vex
>> >
>> > DBDriver pgsql
>> > DBDParams "host=localhost dbname=occ user=occ"
>> >
>>
>> I think the password for the user that connects to the DB should also
>> be declared here like:
>
> I have two problems with that. I don't know all of my user's passwords
> and I don't want to store clear text passwords in the configs.
>
I think you're going to have great difficulties getting Apache to
query a database you cannot supply the credentials for..
Can you not create a specific role user that can access each user's
DB. That way, you would not need to specify their password in the conf
file, just your role users password. The conf file can also be only
readable by root for on disk security.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using PostgreSQL auth - user permissions
Posted by "D'Arcy J.M. Cain" <da...@Vex.Net>.
On Thu, 28 Feb 2013 13:04:21 +1100
Igor Cicimov <ic...@gmail.com> wrote:
> > I have recently upgraded to Apache 2.4, suExec and dbd
> > authentication with PostgreSQL. This is on a system with multiple
> > users. Here is an example virtual host entry:
> >
> > <VirtualHost 98.158.134.24:80>
> > ServerName admin.occ4u.org
> > DocumentRoot /u/WEB/Misc/OCC_Admin
> > ServerAdmin webmaster@vex.net
> > SuexecUserGroup darcy vex
> >
> > DBDriver pgsql
> > DBDParams "host=localhost dbname=occ user=occ"
> >
>
> I think the password for the user that connects to the DB should also
> be declared here like:
I have two problems with that. I don't know all of my user's passwords
and I don't want to store clear text passwords in the configs.
> > Currently my solution is to either make the database trust any
> > connections from itself
>
> You can make this "trust the local connections for SOME users
> including apache user". And additionally you can grant apache user
> select permissions only to the person table of the occ database.
And every other database that I need to authenticate to. It doesn't
sound like it scales very well. This is my current solution although I
did take it a step farther and created a view on the person tables with
just the data I needed. The view is what I give public access to.
> > Database connections from the web site are fine since suExec runs
> > the scripts as occ. Is there any way to make the dbd connection
> > run as occ as well?
> >
> You can run apache as occ user.
That doesn't help me authenticate the other users. I know that I can
make this work if I have one client but I am trying to make it work for
hundreds of different users.
--
D'Arcy J.M. Cain
System Administrator, Vex.Net
http://www.Vex.Net/ IM:darcy@Vex.Net
Voip: sip:darcy@Vex.Net
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Using PostgreSQL auth - user permissions
Posted by Igor Cicimov <ic...@gmail.com>.
On Tue, Feb 26, 2013 at 4:19 AM, D'Arcy J.M. Cain <da...@vex.net> wrote:
> Please see the message I sent a few minutes ago re: "Unable to open
> logs" if you need more information about my system than I have included
> here.
>
> I have recently upgraded to Apache 2.4, suExec and dbd authentication
> with PostgreSQL. This is on a system with multiple users. Here is an
> example virtual host entry:
>
> <VirtualHost 98.158.134.24:80>
> ServerName admin.occ4u.org
> DocumentRoot /u/WEB/Misc/OCC_Admin
> ServerAdmin webmaster@vex.net
> SuexecUserGroup darcy vex
>
> DBDriver pgsql
> DBDParams "host=localhost dbname=occ user=occ"
>
I think the password for the user that connects to the DB should also be
declared here like:
DBDParams "host=localhost dbname=occ user=occ password=some_password"
> DBDPersist off
>
> <Directory /u/WEB/Misc/OCC_Admin>
> AuthType Basic
> AuthName "OCC database Administration"
> Require valid-user
> AuthBasicProvider dbd
> AuthDBDUserPWQuery "SELECT raw(person_pass) FROM person \
> WHERE person_login = %s AND \
> person_active = 't'"
> </Directory>
> </VirtualHost>
>
> This fails because the connection is made as nobody, the user that the
> server itself runs as. The database makes an ident call for occ and
> fails of course.
>
> Currently my solution is to either make the database trust any
> connections from itself
You can make this "trust the local connections for SOME users including
apache user". And additionally you can grant apache user select permissions
only to the person table of the occ database.
> or make the password files world readable.
> Neither of these seems very secure. I tried adding a User directive in
> the virtual host but that just crashed Apache with a config error
> sending me on a five minute reboot (Unable to open logs - see previous
> message.)
>
> Database connections from the web site are fine since suExec runs the
> scripts as occ. Is there any way to make the dbd connection run as occ
> as well?
>
>
You can run apache as occ user.
> Thanks for any help.
>
> --
> D'Arcy J.M. Cain
> System Administrator, Vex.Net
> http://www.Vex.Net/ IM:darcy@Vex.Net
> Voip: sip:darcy@Vex.Net
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>