Password File Access On Server Side

[cptk]

I have a URL that when first called, runs a cgi script. The cgi script reads in and processes data from 3 separate text files, builds 3 html tables and displays them back to the browser on 1 page. This works with no problem.

The problem is I only want to allow certain users permission to edit the contents of any one table - thus I provide a checkbox and/or submit button (haven't work those details out exactly yet) that prompts a user for password before proceeding. If I client-side check the password against some hidden input tag, type=hidden via javascript, I'm only providing a low security solution. Better yet, I would like to send the password to a cgi script and check on the server-side.

Therefore, I need to either password-protect access to the text files or set-up a method within my cgi script. I've also looked into apache's .htaccess & .htpasswd, but they seem to only deal with protecting access to a directory, not a particular file!

Is there a better solution????

I know this might not be the "right" forum for this, but it's my initial attempt ...thanks!!

 

[automatic2]

checking pass/user on client side is 'no security'. You'll absolutely want to validate your user/pass on server side. Setting your chmod on your files will secure them.

 

[cptk]

I agree, client-side checking is no security (or at best low security) - either way you describe it ... basically it's NOT the direction I was looking towards!

Setting the file permissions is not the same thing as allowing access based on a particular user [unless of course you introduce to this equation "group names", which leads to System Admin. getting involved, etc. Something I don't want to do!]. I simply want to limit the acces to a file based on a user knowing the "password" to the file.

And it seems the only way to do it is within the cgi script. But of course this has it's only security risks as well (e.g. - those with acces to my cgi directory could simplly read my cgi script).

 

[Rieekan]

Create a file outside of your web root directory to store the username / password combinations. For instance, if the root to your website is in /

http://www/public_html/,

create the file in the /www/ directory. This ensures that only users with the access to that directory (like the ID that runs your CGI script) can see it, let alone read it's information.

Then inside the CGI, just open that file, parse it's information and if the username / password combination matches, they're in.

Alternately, you might want to consider using a DBM file to store the username / password information in. It stores information in a hash so you don't have to parse through a file that's thousands of records long. (Thinking long term of course)

- Rieekan

 

[ChrisHunt]

The cgi script reads in and processes data from 3 separate text files, builds 3 html tables and displays them back to the browser on 1 page. This works with no problem ...
The problem is I only want to allow certain users permission to edit the contents of any one table ... Therefore, I need to either password-protect access to the text files

Can you clarify - Do you want to stop unauthorised users from gaining any access to the data in the files, including just reading it, or do you only want to limit who can edit the data?

If the latter, just get them to enter a password at the same time as they enter the revised data values. Your server-side script can check the password before applying the changes to the hidden file, and reject them if the password is wrong.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[cptk]

Chris -

Yes, I "..only want to limit who can edit the data" via the web page. So I agree with having the server-side script verify if they have permission to edit the data. My problem is the server-side script file fails to run from the browser if the script is chmod'd 711 (i.e., -rwx--x--x). The script file needs to be set-up with chmod 755 (i.e., -rwxr-xr-x) to run correctly. Therefore, I'm opening-up to anybody who wants to see the contents of the server-side script file, which obviously "could" defeat the purpose of requiring the pasword in the first place. I say "could" because this web page is for internal use at our company - this web page won't be used outside the company.

What then do you mean by hidden file? The cgi script, or a file containing the user/password combinations? And if you mean the file containing the passwords, won't I be faced with the same problem as stated above if I "hide" the file?

 

[cptk]

Oh, sorry, your reference to "hidden" file was referring to the file containing the permission-editable text data ...right?

So, actually my question boils down to this:
How can you limit someone from reading your file(s) if the files in question need to be minimally chmod'd to 755 in order to run on the browser?

 

[KevinADC]

sounds like all you need is a very simple username file with a password and a binary flag to note permission or no permission.

folder users:
files:
John.dat
Mary.dat
Joe.dat

each file has two lines:

birdlips
111

the first line is their password, the second is a series of binary flags noting the permission for the three tables. 111 means permission to edit all three. 100 would mean only table one, 110 would be table one and two, you get the idea. Or you could use a more human readable format if you wanted to:

password:birdlips
table1:yes
table2:no
table3:no

The user has to login either before displaying the tables or has to enter a name and password when submitting edits. Your script opens the user file, checks the password and checks the permission flag. If there are no problems the script processes the edits, otherwise print an error message.

 

[cptk]

Kevin,
In your last paragraph, you mention "...or has to enter a name and password when submitting edits" - that's exactly the way I'm implementing this!
but ... that still doesn't resolve my .99 cent question:
How can you limit someone from reading your server-side file(s) if the files in question need to be minimally chmod'd to 755 in order to run on the browser?

If I understand your reply correctly (and I think I do), I'm still faced with the possiblility of a user simply accessing the directory where this password file is and reading the file.

B.T.W. (by-the-way) - when a user, from a pc, runs a URL which in turns executes a cgi script, what's the id value of that user from the server-side?

 

[KevinADC]

only files that need to be executed need chmod 755 (such as perl scripts). Other files should only require 644.

If you don't want people to be able to run your script then you have to force them to enter a name/password first before serving up the content. Could be as simple as:

my $q = new CGI;
if ($q->('password') && $q->('username')) {
   &check($q->('password'),$q->('username'));
}
else {
   &login;
}

sub check {
   my ($name,$pass) = @_;
   open(FILE,"path/to/users/$name.dat") or die "$!";
   @data = <FILE>;
   close(FILE);
   #run some checks here
   #if no problems proceed
   #if problems print an error message and exit
}

sub login{
print a form for the user to enter their name and password
exit();
}

keep in mind, this is not meant to be working code, just to give you ideas.

 

[ChrisHunt]

If you're worried about your script having 755 permissions, try doing it and trying to read its source code across the web yourself. You'll find that you can't - when the web server receives a request for a file in the cgi-bin, it doesn't return the file, it executes it and returns the result. A "view source" will just show the HTML that the script sent out. There's no way your visitors can snoop on the source code of a server-side script.

-- Chris Hunt
Webmaster & Tragedian
Extra Connections Ltd

 

[cptk]

Chris & Kevin -
Thank you for your prompt responses and insight. I agree with everything you both are saying, although I mentioned this, I think I failed to make it clear that I'm designing this web site for internal use at our company. This being the case, all users at our company have access to each others' directories. Yes, it would be "nice" for those who use my web site to access, and edit (provided they are permitted via a password mechanism) the specific data, there is the possibility they could simply find the directories which contain the cgi script, data files and password file (if I choose to put the password stuff in a separate file) and simple view the data. I would like to prevent this from happening, but I think due to the natural of my situation, I don't know a way around it. What I'm really only concern with is the fact that someone could simply open the data file and edit the contents manually - skipping using the web site which was designed to provide a better, more efficient way to edit the data (i.e. - validation of data).

Is there a way around this?
Sorry for this long-winded entries

 

[audiopro]

A company where anyone can edit anything!
Sounds like a sys admin's worst nightmare.


Keith

http://www.studiosoft.co.uk

 

[cptk]

nah, it's not that bad ... I'm just saying that in order for my URL web page to work as designed, the cgi script needs to be -rwxr-x-r-x and the text files the cgi script accesses need to be -rw-rw-rw- . Believe me, I'm not compromising the system integrity!

I haven't "pinged" our sys admin group yet on this problem. Since I'm the only one outside sys admin who has cgi privileges, I wanted to do some research 1st before posing these questions to them.