[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modules
Subject: [apache-modules] apache module to store passwords
From: John Newbigin <jn () it ! swin ! edu ! au>
Date: 2004-03-25 3:09:39
Message-ID: 40624D73.6050103 () it ! swin ! edu ! au
[Download RAW message or body]
This post is quite long so here is a quick summary:
I have written a module as described below in Implementation. I am
trying to assess to security of this solution. I am seeking information
on the questions raised in the Issues section. Feedback would be much
appreciated.
Secure use of passwords in php scripts
Problem
To connect to a database and other resources, a password is required.
The password is an arbitrary string of data which should be kept hidden
from unauthorized users.
File system permissions
Because the web server runs as user nobody, the file containing the
password needs to be readable by user nobody or world readable. This
means any local user or user with access to the web server can read the
password.
It might be possible to retrieve a password with a suid program which
can sanity check the environment before returning a password, but any
user with cgi access to the web server could create a false environment
and trick the suid program into divulging the password.
Cryptography Solution
A cryptographic hash on the environment might allow a check to see if
the environment has been tampered with. This could make the suid
solution workable.
Internal Storage Solution
The solution needs to build on the following:
- files containing passwords should have restricted read permissions
- the web server starts as user root and can read any file
- the web server can look at the path of the script requesting a
password and allow or deny access
The solution might also need to address the following:
- prevention of password strings leaking into child processes
- prevention of password strings being accessible by server modules?
Implementation
An apache module loads the password config file on startup. This needs
to be done as root.
When a php script wants a password, it calls virual() on a specific URI
which is mapped to a special handler.
That handler checks that the request URI should be allowed access, and
if so sets a note (table_set) containing the password.
Issues
Is there a way a php script or other non-root controlled method can fool
the environment of the subrequest such that the main URI can be
forged/spoofed or whatever, tricking the handler into giving up the
password?
Can php or another non-root controlled method read arbitrary memory from
the apache process, obtaining a list of passwords from memory? This
might well impact on other authentication technologies. Can a php
script obtain the password a user has supplied to another
request/session (ie, hijack a password being used somewhere else in the
apache server).
--
John Newbigin - Computer Systems Officer
School of Information Technology
Swinburne University of Technology
Melbourne, Australia
http://www.it.swin.edu.au/staff/jnewbigin
---------------------------------------------------------------------
To unsubscribe, e-mail: apache-modules-unsubscribe@covalent.net
For additional commands, e-mail: apache-modules-help@covalent.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic