Re: [cgiwrap-users] CGIWrap and Nagios issues

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Using ScriptAlias and the like to map CGI executions to usernames
and the like won't result in Apache honouring .htaccess.  I believe
the problem to be more related to Apache than cgiwrap.

For workarounds, there's only one that I've found: use a <Directory>
or <Location> block and add appropriate .htaccess-esque rules there.
Aren't the oversights of Apache wonderful?  ;-)

Example configuration: one of our virtualhosts uses cgiwrap to assist
in managing their web board software (ugh...).  The board requires
authentication to post (but not read).  Since cgiwrap is involved,
there is no way to achieve the authentication without actually
modifying the CGI to do the authentication itself (rather than rely
on Apache's .htaccess allow/deny and authentication directives).
To alleviate this problem, I had to do the following within our
Apache config, within their <VirtualHost> block:

  ScriptAlias /cgi-bin/   "/usr/local/www/cgi-bin/cgiwrap/user/"

  <Location /cgi-bin/bbs/secure>
    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile "/home/user/cgi-bin/bbs/secure/.htpasswd"
    Require valid-user
  </Location>

{rant}
Aren't the oversights of Apache wonderful?  For a webserver that
something like 80-90% of the Internet relies on, I'd expect it to
have better logic/directives for handling such situations.  Hell,
better yet, solve the problem altogether: add setuid() support for
CGIs and documents to Apache natively, WITHOUT suexec (which is just
an ugly hack).  And while they're at it, add rate-limiting support,
and proper bandwidth monitoring to the stock Apache server, rather
than relying on half-ass third-party modules which don't work or
require you to patch the Apache core to get SHM to work...
{/rant}

-- 
| Jeremy Chadwick                                 jdc at parodius.com |
| Parodius Networking                        http://www.parodius.com/ |
| UNIX Systems Administrator                   Mountain View, CA, USA |
| Making life hard for others since 1977.                             |

On Wed, Jul 06, 2005 at 08:13:18PM +1000, James Turnbull wrote:
> James Turnbull wrote:
> 
> >Hi
> >
> >I've configured Nagios and Apache to work with CGIWrap.  I sym-linked 
> >a /home/nagios/public_html/ directory to the Nagios CGI directory 
> >/usr/local/nagios/sbin.  Everything seems to work and cgiwrap seems to 
> >be working but I also use authentication (Digest authentication) to 
> >authenticate my users.  In Nagios authenticated users are then used to 
> >determine what access is granted to the Nagios web console.  But after 
> >installing CGIWrap Nagios seems unable to work out what user is signed 
> >in and hence doesn't correctly authorize users.  In Nagios this shows 
> >up as the signed in user name being replaced with a ?, ie. instead of 
> >the console saying jsmith is signed in it says that ? is signed in.
> >
> To add further information - I have noted from the documentation that 
> CGIWrap doesn't work with .htaccess files - does this imply it doesn't 
> work with Apache authentication directives that are contained in either 
> .htaccess files or the httpd.conf file?
> 
> Regards
> 
> James Turnbull
> 
> -- 
> James Turnbull <ja...@lo...>
> ---
> Author of Hardening Linux, Apress
> (http://www.amazon.com/exec/obidos/tg/detail/-/1590594444/)
> ---
> PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)
> 
> 
> 
> 