Re: custom authentication functions from Darren New on 1996-03-27 (www-talk@w3.org from March to April 1996)

From: Darren New <dnew@yuan.fv.com>
Date: Wed, 27 Mar 1996 09:34:59 -0800 (PST)
To: Mike Meyer <mwm@contessa.phone.net>
Cc: www-talk@w3.org
Message-Id: <Pine.LNX.3.91.960327092714.351A-100000@yuan.fv.com>

On Tue, 26 Mar 1996, Mike Meyer wrote:
> header. The environment of a Unix process is publicly available on
> most (all?) unix systems.

Um, how's that?  I'm pretty sure you have to read /dev/kmem to get the 
environment for someone else's process.  How would you do this?

> Putting the authentication header in the
> environment lets other users of your Unix system grab
> username/password pairs if they want them.

Fortunately, our webservers don't have any untrusted users logging in. 
:-) And it certainly isn't any less secure than dumping the name/passwd 
pairs thru the internet in the "clear".

> they did. If you really want to do this and source is available, it's
> probably pretty simple to find the code that prevents authentication
> headers from going into the environment and disable it.

Actually, for at least the ones I've looked at, it's a pain. It would be
much easier to special-case taking it out of the environment than it would
be to write code to find it and insert it into the environment in the
right place. The real problem is that the CGI script doesn't get invoked
until *after* the username and password are validated. If you want the CGI
script to do the validation, you're out of luck. 

This is falling back to the old ACL/setuid argument. Is it better to have 
the access control built in to a system (like httpd) or is it better to 
give a user program the info it needs to decide whether to permit access? 
Currently, I've not found a browser that will invoke CGIs whose basic 
authentication doesn't match what's in the config files, so you're stuck 
with what's compiled into the server. I imagine other servers give you 
different APIs for intercepts at different places, but I havent looked 
too closely at them yet.

--
 Darren New / Dir. of Custom Software Design / First Virtual Holdings Inc.
Anyone can buy and sell information over the internet for real money TODAY!
  http://www.fv.com or info@fv.com  -=|=-  PGP key: finger dnew@yuan.fv.com
      This message brought to you by the letter T, and the number 1.

Received on Wednesday, 27 March 1996 12:52:25 UTC