[Zope] - Pb with Apache (authentication)

Andrew Csillag drew_csillag@geocities.com
Thu, 31 Dec 1998 10:16:54 -0500 

Ronan BARZIC wrote:
> 
> Hello,
> 
>     I've a problem with Zope 1.0.9 (source distribution) with
> authentication.
>     I'am  using Apache 1.2.6 from a RedHat 5.1 distribution with the
> standard configuration files plus the the rewrite Rule in httpd.conf :
>         RewriteEngine on
>         RewriteLog /etc/httpd/logs/rewrite.log
>         RewriteLogLevel 9
>         RewriteCond %{HTTP:Authorization}  ^(.*)
>         RewriteRule ^/Zope/(.*) /home/httpd/cgi-bin/Zope.cgi/$1
> [e=HTTP_CGI_AUTHORIZATION:%1,t=application/x-httpd-cgi,l]
> 
>     For testing, i've installed Zope under the /home/httpd/Zope-1.9.0-src
> and a link with /home/hhtpd/Zope.lnk
>     Zope.cgi is in the cgi-bin directory
> 
>      The URL //mymachine/cgi-bin/Zope.cgi gives the welcome page
>      The URL //mymachine/cgi-bin/Zope.cgi/manage asks the superuser name and
> the password but it faills
> 
>     The URL //mymachine/Zope/manage asks the superuser name and the password
> but it faills. The log for the rewrite rule seems to be correct (and it
> works...)
 
You ran into the same problem I did.  A standard build of apache won't
cut it.  Apache normally doesn't provide the HTTP_AUTHORIZATION
evironment variable to cgis because it can potentially be exploited by
malicious cgis (on your server).  From src/main/util_script.c:

/*
 * You really don't want to disable this check, since it leaves you
 * wide open to CGIs stealing passwords and people viewing them
 * in the environment with "ps -e".  But, if you must...
 */ 

In our case, in order for zope to do authentication, it NEEDS the
HTTP_AUTHORIZATION environment variable to check the password against
it's own authentication "database".  So if you trust the cgis are
running on your server (you should if this is any kind of "production"
server), and you don't have users you don't trust on the machine (you
shouldn't) typing 'ps -e' (so they can see the environment of the cgi
process), this isn't a problem.  I presume that if you are using the
python/bobo/apache plugin, this mightn't be a problem, but I don't know
for sure.  If you are using ZopeHTTPServer, I presume there shouldn't be
any problem there either.

There is probably a FAQ entry on this somewhere, but what you do is get
the Apache sourcecode and configure it.  Then edit src/main/Makefile and
add -DSECURITY_HOLE_PASS_AUTHORIZATION to CFLAGS and build, and it
should work.  Alternatively, since you are using Linux, you could just
get the binaries.

Cheers,
Drew

P.S.  Didn't mean to scare anybody. :)

-- 
Drew Csillag               Python and Linux Weenie    
Senior Engineer            "Walking on water and developing software (on
time)
StarMedia Network           from a specification is
easy...                   
(212)-548-9693              If both are frozen"