- Pb with Apache (authentication)
Hello, I've a problem with Zope 1.0.9 (source distribution) with authentication. I'am using Apache 1.2.6 from a RedHat 5.1 distribution with the standard configuration files plus the the rewrite Rule in httpd.conf : RewriteEngine on RewriteLog /etc/httpd/logs/rewrite.log RewriteLogLevel 9 RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope/(.*) /home/httpd/cgi-bin/Zope.cgi/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l] For testing, i've installed Zope under the /home/httpd/Zope-1.9.0-src and a link with /home/hhtpd/Zope.lnk Zope.cgi is in the cgi-bin directory The URL //mymachine/cgi-bin/Zope.cgi gives the welcome page The URL //mymachine/cgi-bin/Zope.cgi/manage asks the superuser name and the password but it faills The URL //mymachine/Zope/manage asks the superuser name and the password but it faills. The log for the rewrite rule seems to be correct (and it works...) httpd runs as nobody. access file is owned by nobody with read and write access. ls-l var gives : total 26 -rw-rw-rw- 1 nobody nobody 10780 Dec 30 17:22 Data.bbb -rw-rw-rw- 1 nobody nobody 7789 Dec 30 17:11 Data.bbb.in -rw-r--r-- 1 nobody nobody 9 Dec 30 17:22 Data.bbb.trans drwxrwxrwx 3 nobody nobody 1024 Dec 30 17:21 gadfly -rw-rw-rw- 1 nobody nobody 3135 Dec 30 17:21 pcgi.log -rw-rw-rw- 1 nobody nobody 4 Dec 30 17:22 pcgi.pid srwxrwxrwx 1 nobody nobody 0 Dec 30 17:22 pcgi.soc ls -l access gives : -rwxrw-rw- 1 nobody nobody 16 Dec 30 18:12 access Thank you Ronan BARZIC barzic@worldnet.fr
Ronan BARZIC wrote:
Hello,
I've a problem with Zope 1.0.9 (source distribution) with authentication. I'am using Apache 1.2.6 from a RedHat 5.1 distribution with the standard configuration files plus the the rewrite Rule in httpd.conf : RewriteEngine on RewriteLog /etc/httpd/logs/rewrite.log RewriteLogLevel 9 RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule ^/Zope/(.*) /home/httpd/cgi-bin/Zope.cgi/$1 [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
For testing, i've installed Zope under the /home/httpd/Zope-1.9.0-src and a link with /home/hhtpd/Zope.lnk Zope.cgi is in the cgi-bin directory
The URL //mymachine/cgi-bin/Zope.cgi gives the welcome page The URL //mymachine/cgi-bin/Zope.cgi/manage asks the superuser name and the password but it faills
The URL //mymachine/Zope/manage asks the superuser name and the password but it faills. The log for the rewrite rule seems to be correct (and it works...)
You ran into the same problem I did. A standard build of apache won't cut it. Apache normally doesn't provide the HTTP_AUTHORIZATION evironment variable to cgis because it can potentially be exploited by malicious cgis (on your server). From src/main/util_script.c: /* * You really don't want to disable this check, since it leaves you * wide open to CGIs stealing passwords and people viewing them * in the environment with "ps -e". But, if you must... */ In our case, in order for zope to do authentication, it NEEDS the HTTP_AUTHORIZATION environment variable to check the password against it's own authentication "database". So if you trust the cgis are running on your server (you should if this is any kind of "production" server), and you don't have users you don't trust on the machine (you shouldn't) typing 'ps -e' (so they can see the environment of the cgi process), this isn't a problem. I presume that if you are using the python/bobo/apache plugin, this mightn't be a problem, but I don't know for sure. If you are using ZopeHTTPServer, I presume there shouldn't be any problem there either. There is probably a FAQ entry on this somewhere, but what you do is get the Apache sourcecode and configure it. Then edit src/main/Makefile and add -DSECURITY_HOLE_PASS_AUTHORIZATION to CFLAGS and build, and it should work. Alternatively, since you are using Linux, you could just get the binaries. Cheers, Drew P.S. Didn't mean to scare anybody. :) -- Drew Csillag Python and Linux Weenie Senior Engineer "Walking on water and developing software (on time) StarMedia Network from a specification is easy... (212)-548-9693 If both are frozen"
participants (2)
-
Andrew Csillag -
Ronan BARZIC