This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: efflandt@xnet.com (David Efflandt) Subject: Re: Restricting CGI w/ Passwords Reply-To: efflandt@xnet.com Organization: XNet Information Systems, Inc. References: <sqh83t48t9142@corp.supernews.com> <sqidbcmrt9153@corp.supernews.com> Message-ID: <slrn8qifrd.pss.efflandt@efflandt.xnet.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 28 Aug 2000 11:02:03 -0600 X-Trace: 28 Aug 2000 11:02:03 -0600, 206.125.69.81 Lines: 46 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!newsfeed.cwix.com!natasha.rmii.com!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:92152 On 27 Aug 2000 08:38:28 -0600, Fly <fly@pcc.net> wrote: :Yes, the web server is Apache. If I use the htaccess method wouldn't that :restrict ALL scripts? I just want to restrict the use of a few of them. Give your scripts a different file extension (.cgia in this case) and use that with <Files> or <FilesMatch> directive in .htaccess. Note that the AddHandler line is not necessary in a real ScriptAlias cgi-bin and might not be allowed by AllowOverride settings: AddHandler cgi-script cgia <Files "*cgia"> AuthType Basic AuthName "Private Scripts" AuthUserFile /sys_path_to/.htpasswd require valid-user </Files> But if you do use a password from a normal form in your CGI, make sure that you store the password crypted and then test the password from the form against the crypted password (using CGI.pm function mode): exit unless (crypt(param('passwd'),$crpasswd) eq $crpasswd); A CGI to crypt the password is available from the last 2 sites in my sig, but note that there are 2 different types of crypt (DES and MD5), so you should probably run that on your own system to crypt a password. :"Fly" <fly@pcc.net> wrote in message :news:sqh83t48t9142@corp.supernews.com... :: Is there a way to prevent someone from running a script in my CGI :directory? :: :: I'd like to add a password to a given script so that only I can run the :: script. -- David Efflandt efflandt@xnet.com http://www.de-srv.com/ http://www.autox.chicago.il.us/ http://www.berniesfloral.net/ http://hammer.prohosting.com/~cgi-wiz/ http://cgi-help.virtualave.net/ -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: jonceramic@nospammiesno.earthlink.net (Jon S.) Subject: Re: Restricting CGI w/ Passwords Reply-To: jonceramic@nospammiesno.earthlink.net (Jon S.) Organization: EarthLink Inc. -- http://www.EarthLink.net References: <sqh83t48t9142@corp.supernews.com> <sqidbcmrt9153@corp.supernews.com> Message-ID: <39aa7f1d.6383975@news.earthlink.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 28 Aug 2000 16:48:41 -0600 X-Trace: 28 Aug 2000 16:48:41 -0600, 206.125.69.81 Lines: 38 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!headwall.stanford.edu!feeder.via.net!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:92156 On 27 Aug 2000 08:38:28 -0600, "Fly" <fly@pcc.net> wrote: :Yes, the web server is Apache. If I use the htaccess method wouldn't that :restrict ALL scripts? I just want to restrict the use of a few of them. I have made a separate "admin" directory (with a weird, unguessable name) that I have given a password to, with the password file in a separate, non-html accessable folder in my account directory. However, the data sent will still be unencrypted, even if you use .htaccess and a basic password authentication. So, to give some protectiong for the data sent once you're in, you might want to also use SSL (https) in addition to the basic authentication when you actually use the form. I have also put a second password inside of my admin scripts. It's a single word entry on the forms, and I maintain it (enter it into all of the password fields) after I've entered it into the form the first time. And since I only send the data via SSL, it's encrypted from simple sniffing. That way, people need to determine 2 passwords, not just one. It's not perfect, but, judging from the thread on it a week or two ago, this is about the best you can do, when combined with smart design like naming your password field "kitty", instead of "password" or calling your admin files "oeodoioto.cgi" instead of "edit.cgi" so people can't guess things easily. Search deja or remarq for the recent thread entitled "CGI for specific user only" to see what some of the gurus told me. Best of luck, Jon -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: ellis@ftel.net (Rick Ellis) Subject: Re: Restricting CGI w/ Passwords Reply-To: ellis@ftel.net (Rick Ellis) Organization: Franklin interNet http://www.franklin.net References: <sqh83t48t9142@corp.supernews.com> <sqidbcmrt9153@corp.supernews.com> Message-ID: <8oos27$l6g$1@ting.ftel.net> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 204.137.133.236 Date: 1 Sep 2000 11:21:55 -0600 X-Trace: 1 Sep 2000 11:21:55 -0600, 204.137.133.236 Lines: 16 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!headwall.stanford.edu!feeder.via.net!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!204.137.133.236 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:92245 In article <sqidbcmrt9153@corp.supernews.com>, Fly <fly@pcc.net> wrote: :Yes, the web server is Apache. If I use the htaccess method wouldn't that :restrict ALL scripts? I just want to restrict the use of a few of them. Why not put the ones you want to restrict in a sub-directory under cgi-bin? -- http://www.fnet.net/~ellis/photo/linux.html -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: Bill Moseley <usenet@hank.org> Subject: Re: Restricting CGI w/ Passwords Reply-To: Bill Moseley <usenet@hank.org> Organization: SBC Internet Services References: <sqh83t48t9142@corp.supernews.com> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Message-ID: <39a94156_1@huge.aa.net> Date: 27 Aug 2000 09:27:02 -0600 X-Trace: 27 Aug 2000 09:27:02 -0600, 206.125.69.81 Lines: 24 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!arclight.uoregon.edu!logbridge.uoregon.edu!nntp.primenet.com!nntp.gblx.net!nntp-cust.primenet.com!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:92138 On 27 Aug 2000 08:38:28 -0600 Fly (fly@pcc.net) remarked... : Yes, the web server is Apache. If I use the htaccess method wouldn't that : restrict ALL scripts? I just want to restrict the use of a few of them. You might read the apache documentation about mod_auth & mod_access, and you could also read about the Location, Files, Directory and related directives. So, yes, you can limit any specific directory, file, or location you want. This topic is so common you might have good luck by searching Deja.com and the web although most of the examples on the web use <LIMIT> for no good reason. -- Bill Moseley -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself. From: "Viking" <vikingrscup@rogue-spear.com> Subject: Re: Restricting CGI w/ Passwords Reply-To: "Viking" <vikingrscup@rogue-spear.com> Organization: Belgacom Skynet SA/NV References: <sqh83t48t9142@corp.supernews.com> <sqidbcmrt9153@corp.supernews.com> Message-ID: <8obiaq$oas$1@news1.skynet.be> Newsgroups: comp.infosystems.www.authoring.cgi Approved: Self-Moderation <authoring-cgi@boutell.com> NNTP-Posting-Host: 206.125.69.81 Date: 27 Aug 2000 10:15:49 -0600 X-Trace: 27 Aug 2000 10:15:49 -0600, 206.125.69.81 Lines: 48 X-Original-NNTP-Posting-Host: 204.157.220.254 Path: nntp.stanford.edu!newsfeed.stanford.edu!news.kjsl.com!news.aa.net!huge.aa.net!206.125.69.81 Xref: nntp.stanford.edu comp.infosystems.www.authoring.cgi:92139 Ok, then try this .htaccess configuration: AuthUserFile /path/to/.htpasswd AuthGroupFile /path/to/.htgroup AuthName Restricted AuthType Basic <Files "yourscript.cgi"> Order deny, allow Deny from all Allow from user you </Files> Fly <fly@pcc.net> wrote in message news:sqidbcmrt9153@corp.supernews.com... : Yes, the web server is Apache. If I use the htaccess method wouldn't that : restrict ALL scripts? I just want to restrict the use of a few of them. : : "Fly" <fly@pcc.net> wrote in message : news:sqh83t48t9142@corp.supernews.com... : : Is there a way to prevent someone from running a script in my CGI : directory? : : : : I'd like to add a password to a given script so that only I can run the : : script. : : : : : : -- : : PLEASE NOTE: comp.infosystems.www.authoring.cgi is a : : SELF-MODERATED newsgroup. aa.net and boutell.com are : : NOT the originators of the articles and are NOT responsible : : for their content. You can SELF-APPROVE your first posting : : by writing the word 'passme' on a line by itself. : : : -- : PLEASE NOTE: comp.infosystems.www.authoring.cgi is a : SELF-MODERATED newsgroup. aa.net and boutell.com are : NOT the originators of the articles and are NOT responsible : for their content. You can SELF-APPROVE your first posting : by writing the word 'passme' on a line by itself. -- PLEASE NOTE: comp.infosystems.www.authoring.cgi is a SELF-MODERATED newsgroup. aa.net and boutell.com are NOT the originators of the articles and are NOT responsible for their content. You can SELF-APPROVE your first posting by writing the word 'passme' on a line by itself.