# cat /etc/apache2/conf.d/gosa.conf
Alias /gosa /usr/share/gosa/html
<Location /gosa>
include /etc/gosa/gosa.secrets
</Location>
# cat /etc/gosa/gosa.secrets
RequestHeader set FooPassword very-secret-credentials
The latter file can only be read by root, so the security "problem" is
as critical as beeing able to read cleartext kerberos or sasldb
passwords as root.
This implementation only requires minimum changes and has no big overhead on the server side... Uh, and a "a2enmod headers" from postinst.
Cheers, Cajus Am 05.04.2008 um 11:07 schrieb sean finney:
hi, a few more ideas for you to think about: - create a user specific to the package, and 1: use a setuid wrapper binary for doing all ldap communications or2: use some kind of user-restricted fastcgi type setup instead of standardapache mod_php/python/whatever or 3: run a seperate instance of $webserver listening on a different port(localhost:8080 or similar), and running as the specific user. you can then drop in a proxy config to make that available from the standard $webserver.sean