[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modules
Subject:    [apache-modules] apache module to store passwords
From:       John Newbigin <jn () it ! swin ! edu ! au>
Date:       2004-03-25 3:09:39
Message-ID: 40624D73.6050103 () it ! swin ! edu ! au
[Download RAW message or body]

This post is quite long so here is a quick summary:
I have written a module as described below in Implementation.  I am 
trying to assess to security of this solution.  I am seeking information 
on the questions raised in the Issues section.  Feedback would be much 
appreciated.


Secure use of passwords in php scripts

Problem
To connect to a database and other resources, a password is required. 
The password is an arbitrary string of data which should be kept hidden 
from unauthorized users.

File system permissions
Because the web server runs as user nobody, the file containing the 
password needs to be readable by user nobody or world readable.  This 
means any local user or user with access to the web server can read the 
password.

It might be possible to retrieve a password with a suid program which 
can sanity check the environment before returning a password, but any 
user with cgi access to the web server could create a false environment 
and trick the suid program into divulging the password.

Cryptography Solution
A cryptographic hash on the environment might allow a check to see if 
the environment has been tampered with.  This could make the suid 
solution workable.

Internal Storage Solution
The solution needs to build on the following:
- files containing passwords should have restricted read permissions
- the web server starts as user root and can read any file
- the web server can look at the path of the script requesting a 
password and allow or deny access

The solution might also need to address the following:
- prevention of password strings leaking into child processes
- prevention of password strings being accessible by server modules?

Implementation
An apache module loads the password config file on startup.  This needs 
to be done as root.
When a php script wants a password, it calls virual() on a specific URI 
which is mapped to a special handler.
That handler checks that the request URI should be allowed access, and 
if so sets a note (table_set) containing the password.

Issues
Is there a way a php script or other non-root controlled method can fool 
the environment of the subrequest such that the main URI can be 
forged/spoofed or whatever, tricking the handler into giving up the 
password?

Can php or another non-root controlled method read arbitrary memory from 
the apache process, obtaining a list of passwords from memory?  This 
might well impact on other authentication technologies.  Can a php 
script obtain the password a user has supplied to another 
request/session (ie, hijack a password being used somewhere else in the 
apache server).

-- 
John Newbigin - Computer Systems Officer
School of Information Technology
Swinburne University of Technology
Melbourne, Australia
http://www.it.swin.edu.au/staff/jnewbigin


---------------------------------------------------------------------
To unsubscribe, e-mail: apache-modules-unsubscribe@covalent.net
For additional commands, e-mail: apache-modules-help@covalent.net

[prev in list] [next in list] [prev in thread] [next in thread]