[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Basic Authentication for web pages



>> Careful:  You are passing the password as part of a command line, and
>> command lines are visible to the world!  Instead of using an echo
command,
>> you should open a pipe to the nwauth command and write the password down
the
>> pipe.  Not knowing php, you are on your own <g>!
>>
>> >////////////////////////////////
>> >function nwauth ($nwserver, $user, $pass) {
>> >  $command=sprintf("echo \"%s\" | nwauth -S %s -U %s",  // parsing the
>                       ^^^^^^^^^^^^^^^^^^^^^
>
>This exactly does what you said it should do, not what you thought it
>does! I.e. it opens a pipe to nwauth and "echo"s the password to nwauth's
>stdin. In the code above, nwauth does not receive the password as its
>command line argument; infact it doesn't even accept password in its
>command line even if one tries to do so.
>
>Am I missing something?


Yes!  The variable $command will contain a string that looks something
like this:
    echo "somepassword" | nwauth -S someserver -U someuser

And it executes this command.  If someone was doing a ps ax
command while this was running, they would have seen the echo
command **AND ITS ARGUMENT ** as the output of the ps listing.

Anyway, this is getting off topic (PAM), so if you want to go into this
further, either e-mail me or we can switch over to the
comp.security.unix newsgroup.

Scott Nelson




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []