|
다음은 mod_auth_mysql 프로그램입니다. 이 프로그램은 아파치에서 사용자 인증시 MySQL을 이용할 수 있도록 해 주는 모듈입니다.
다음은 소스 내에 포함된 Readme 파일의 내용입니다.
===========================================
Apache authentication module for MySQL v2.10
============================================
This module is originally based on the MySQL-patched mod_auth_msql.c, but the truth is, very little remains from the previous mod_auth_msql.c/mod_auth_mysql.c. Since MySQL can handle lots of simultaneous connections
easily (unlike mSQL), I\ve more or less rebuilt the module from the bottom up to keep the SQL link alive in
between hits. I\ve also cleaned up the code (mostly be deleting it and writing it in another way), dumped
the large static query buffers in favour of pool-allocated memory, and possibly some other stuff.
As described later in this file, please consider this a BETA as it hasn\t gone through enough real-world
usage just yet.
Who shouldn\t use it
--------------------
* Somebody who uses more than one MySQL *server* to authenticate users, from within the same apache process.
This isn\t possible right now, and as far as I\m concerned, wouldn\t be possible in the near future
(one SQL link per httpd is how it works now).
* Somebody who, for some reason, doesn\t want many active links to his database.
Who should use it
-----------------
Everybody else, and especially on a busy site.
Compiling it into Apache 1.2.x
------------------------------
* Copy mod_auth_mysql.c into your Apache src directory.
* Add the following line at the bottom of your \Configuration\ file:
Module mysql_auth_module mod_auth_mysql.o
* Assuming you installed MySQL to /usr/local/mysql, add the following to the
EXTRA_LIBS directive in the \Configuration\ file (if you installed to a different
directory, change accordingly):
-L/usr/local/mysql -lmysqlclient -lm
* Run ./Configure and make
Compiling it into Apache 1.3b6 [*]
----------------------------------
* Copy mod_auth_mysql.c to Apache\s modules/extra directory.
* Add the following line at the bottom of your \Configuration\ file:
Module mysql_auth_module modules/extra/mod_auth_mysql.o
* Assuming you installed MySQL to /usr/local/mysql, add the following to the
EXTRA_LIBS directive in the \Configuration\ file (if you installed to a different
directory, change accordingly):
-L/usr/local/mysql -lmysqlclient -lm
* Run ./Configure
* Run \make depend\
* Run ./Configure again and then make
[*] I\m not sure this is the nicest/most correct way to do the job, but it \worked
for me\ (I only checked that it compiles clean under Apache 1.3b6, nothing
more.
How do I use it?
----------------
Read the \USAGE\ file supplied with this document,
or take a look at http://bourbon.netvision.net.il/mysql/mod_auth_mysql/
Compatability issues
--------------------
The module is *almost* compatible with the previous mod_auth_mysql.c. Different stuff:
* You can\t specify the SQL database host in the .htaccess file, but rather you must specify
it in the apache configuration file (httpd.conf). The user and password for the database
*can* be specified in the .htaccess file for downwards compatability, but are silently
ignored (the connection info should be kept in the server configuration file, httpd.conf).
* It no longer includes any compatability with the Vivek module. That Vivek module seemed
to be in the mSQL module, so I doubt anybody who uses MySQL used the Vivek directives.
* If you don\t specify certain directives, they are assigned defaults:
authentication table name - \mysql_auth\
username field - \username\
password field - \passwd\
group field - \groups\ (would have been \group\, but this is a reserved word in MySQL)
* The module defaults to allow empty passwords rather than forbid them.
Other than that, it should pretty much be compatible.
Note: Logging to different databases on the same server *is* supported, with one restriction -
the connection info (host, username, password) are shared, so the user/pass combination in the
httpd.conf file, has to have select access on any database that is used.
The way to go about implementing a mod_auth_mysql protected web site with multiple users is
having one user, with SELECT permissions to all of the databases in question, and keep that
user\s password to yourself only (the system administrator). That way, each user can setup
his authentication information in his database, and have it readable to the mod_auth_mysql
user only, without having to share that information with the other users on the server.
New directives
--------------
Auth_MYSQLgeneral_db <db_name> - optional httpd.conf directive. A default authentication database to use
in case no database is specified in the .htaccess file.
Auth_MYSQLinfo <host> <user> <passwd> - optional httpd.conf directive. Which host/user/passwd to use
in order to connect to the database. If you wish to specify
values for only certain variables, supply \.\ for the others.
Auth_MYSQL on/off - optional httpd.conf or .htaccess directive to turn MySQL authentication
on/off (so that it\ll be easy to work with other types of authentication)
One can specify a default authentication database (that would be used in case none is specified
in the .htaccess file) using the Auth_MYSQLgeneral_db directive, in the httpd.conf.
Revision history
---------------
v2.10 - Added the necessary include file to make Apache 1.3b6 happy
- Added some information to the USAGE file, loosely describing how to go about
implementing multiple groups for a single user.
v2.09 - Made the full error message of the MySQL server appear in case of a failed
connect
- Added Auth_MYSQL on/off directive, so that it\ll be easily possible to turn
the MySQL authentication on/off serverwide or for a specific directory.
- Fixed the groups authentication code so that it\ll work with one query and
multiple groups. For good this time :)
- Some code cleanups
v2.08 - Fixed a checking for NULL password fields (won\t work, but won\t crash either)
- Fixed logic and possible crashes with the new scrambled password initialization routines
- Optimized a couple of routines
- Changed the query that is used to check user groups - users that belong to multiple
groups should have multiple rows in the groups table
v2.07 - Fixed a bug in the escaping routine - strings that required escaping
were not properly detected (thanks to Marschall Peter for noticing the bug!)
- Added Auth_MYSQL_ScrambledPassword - boolean flag to instruct the module
to assume that passwords are scrambled using MySQL\s password() function
(by Marschall Peter <Peter.Marschall@gedos.de>).
v2.06 - Rearranged some code to allow for a successful apache 1.3beta compilation.
Please note that this is *untested*, I only got it to compile, I haven\t
actually tried to run apache 1.3.
v2.05 - Change the check for \mysql server has gone away\ to be case insenitive
v2.04 - Added USAGE file that explains how to use this module thoroughly
v2.03 - Added compilation information :)
v2.02 - Changed version number from 1.x to 2.x, so that people know that this is really newer
than mod_auth_mysql v1.4 :)
Added a tiny note at the top of the source file.
v1.02 - Fixed a bug in the groups code
v1.01 - Fixed a segmentation fault bug in case of aborted hits
v1.00 - Initial, unversioned release.
Disclaimer
----------
This comes with no warranty of any kind whatsoever, including but not limited to everything you can think of,
and everything your lawyers can think of.
Reporting bugs or UFOs:
If you found a bug in this mod_auth_mysql (\it works for me\), please let me know. This module has
been in active use in my former company for quite a while (and still is), and plenty of people
are using it, including on fairly busy sites, so bugs are not all that likely anymore, but they\re
always possible.
Email: Zeev Suraski <bourbon@bourbon.netvision.net.il>
The original (and pretty long :) comment from the previous mod_auth_mysql.c follows:
/*
* mod_auth_mysql: authentication
*
* Rob McCool & Brian Behlendorf.
*
* Adapted to Shambhala by rst.
*
* Addapted for use with the MySQL database
* (see http://www.tcx.se/)
*
* Addapted for use with MySQL by Wojciech Tryc wojtek@tryc.on.ca
* Version 1.0 May 1996 - Blame: Dirk.vanGulik@jrc.it.
* Version 1.1 Jan 1997 - by Wojciech Tryc
* Version 1.3w Jan 1997 - small modifications by Monty and merge with 1.3
* and 1.3 port by maume@fastnet.it (Maurizio Menghini)
* Version 1.4 May 1997 - by Terry Meadors <terrym@iquest.net> and
* Thomas W. Holt Jr. <gwyn@im1ru12.org>
* added mysql AuthMYSQLusername and AuthMYSQLpassword
* and cleaned up compiler warnings
*
* Outline:
*
* This module allows access control using the FPL (almost free)
* MySQL database; a fast SQL engine which can be
* contacted over an internal unix domain protocol as well as
* over normal inter-machine tcp/ip socket communication.
*
* An example table could be:
*
* create table user_records (
* user_id char(32),
* cpasswd char(32),
* xgroup char(32),
* primary key(user_id)
* )
*
* The user_id can be as long as desired; however some of the
* popular web browsers truncate, or stop the user from entering
* names longer than 32 characters. Furthermore the \crypt\ function
* on your platform might impose further limits. Also use of
* the \require users uid [uid..]\ directive in the access.conf file,
* where the user ids are separated by spaces can possibly prohibit the
* use of spaces in your user-names. Also, not the MAX_FIELD_LEN define
* somewhere below.
*
* To use the above, the following example could be in your access.conf
* file. Also there is a more elaborate description afther this example.
*
* <directory /web/docs/private>
*
* Auth_MYSQLhost localhost
* or
* Auth_MYSQLhost datab.machine.your.org
*
* If this directive is ommited, or set to
* localhost, the machine on which apache
* runs is assumed, and the faster /dev/mysql
* communication channel will be used. Otherwise
* it is the machine to contact by tcp/ip.
*
* Auth_MYSQLusername grant_table_login
* Auth_MYSQLpassword grant_table_login_password
*
* The MySQL grant table username and login used in
* mysql_connect(). Defaults to NULL.
*
* Auth_MYSQLdatabase www
*
* The name of the database on the above machine,
* which contains *both* the tables for group and
* for user/passwords. Currently it is not possible
* to have these split over two databases. Make
* sure that the mysql.acl (access control file) of
* MySQL does indeed allow the effective uid of the
* web server read access to this database. Check the
* httpd.conf file for this uid.
*
* Auth_MYSQLpwd_table user_records
*
* Here the table which contain the uid/password combination
* is specified.
*
* Auth_MYSQLuid_field user_id
* Auth_MYSQLpwd_field cpasswd
*
* These two directive specify the field names in the \user_record\
* table. If this module is compiled with the BACKWARD_VITEK
* compatibility switch, the defaults \user\ and \password\ are
* assumed if you do not specify them. Currently the user_id field
* *MUST* be a primary key or one must ensure that each user only
* occurs *once* in the table. If a UID occurs twice access is
* denied by default.
*
* Auth_MYSQLgrp_table user_records
* Auth_MYSQLgrp_field xgroup
*
* Optionaly one can also specify a table which contains the
* user/group combinations. This can be the same table which
* also contains the username/password combinations. However
* if a user belongs to two or more groups, one will have to
* use a differt table with multiple entries.
*
* Auth_MYSQL_nopasswd off
* Auth_MYSQL_Authoritative on
* Auth_MYSQL_EncryptedPasswords on
*
* These three optional fields (all set to the sensible defaults,
* so you really do not have to enter them) are described in more
* detail below. If you choose to set these to any other values than
* the above be very sure you understand the security implications and
* do verify that apache does what you exect it to do.
*
* AuthName example MySQL realm
* AuthType basic
*
* Normal apache/ncsa tokens for access control
*
* <limit get post head>
* order deny,allow
* allow from all
*
* require valid-user
* \valid-user\; allow in any user which has a valid uid/passwd
* pair in the above pwd_table.
* or
* require user smith jones
* Limit access to users who have a valid uid/passwd pair in the
* above pwd_table AND whose uid is \smith\ or \jones\. Do note that
* the uid\s are separated by \spaces\ for historic (ncsa) reasons.
* So allowing uids with spaces might cause problems.
*
* require group has_paid
* Optionally also ensure that the uid has the value \has_paid\ in the group
* field in the group table.
* </limit>
* </directory>
*
* End of the example
*
* - full description of all tokens: -
*
* Directives:
*
* Auth_MYSQLhost Hostname of the machine running
* the MySQL demon. The effective uid
* of the server should be allowed
* access. If not given, or if it is
* the magic name \localhost\, it is
* passed to the MySQL libary as a null
* pointer. This effectively forces it
* to use /dev/mysql rather than the
* (slower) socket communication.
*
* Auth_MYSQLdatabase Name of the database in which the following
* table(s) are contained.
*
* Auth_MYSQLpwd_table Contains at least the fields with the
* username and the (encrypted) password. Each
* uid should only occur once in this table and
* for performance reasons should be a primary key.
* Normally this table is compulsory, but it is
* possible to use a fall-through to other methods
* and use the MySQL module for group control only;
* see the Authoritative directive below.
*
* Auth_MYSQLgrp_table Contains at least the fields with the
* username and the groupname. A user which
* is in multiple groups has therefore
* multiple entries; this might be some per-
* formance problems associated with this; and one
* might consider to have separate tables for each
* group (rather than all groups in one table) if
* your directory structure allows for it.
* One only needs to specify this table when doing
* group control.
*
* Auth_MYSQLuid_field Name of the field containing the username
* Auth_MYSQLpwd_field Fieldname for the passwords
* Auth_MYSQLgrp_field Fieldname for the groupname
*
* Only the fields used need to be specified. When this
* module is compiled with the BACKWARD_VITEK option the
* uid and pwd field names default to \user\ and \password\.
*
*
* Auth_MYSQL_nopasswd <on|off>
* skip password comparison if passwd field is
* empty; i.e. allow \any\ password. This is off
* by default; thus to ensure that an empty field
* in the MySQL table does not allow people in by
* default with a random password.
*
* Auth_MYSQL_Authoritative <on|off>
* default is \on\. When set on, there is no
* fall through to other authorization methods. So if a
* user is not in the MySQL dbase table (and perhaps
* not in the right group) or has the password wrong, then
* he or she is denied access. When this directive is set to
* \off\ control is passed on to any other authorization
* modules, such as the basic auth module wih the htpasswd
* file and or the unix-(g)dbm modules.
* The default is \ON\ to avoid nasty \fall-through\ sur-
* prizes. Do be sure you know what you decide to switch
* it off.
*
* Auth_MYSQL_EncryptedPasswords <on|off>
* default is on. When set on, the values in the
* pwd_field are assumed to be crypted using *your*
* machines \crypt\ function; and the incoming password
* is \crypt\ed before comparison. When this function is
* off, the comparison is done directly with the plaintext
* entered password. (Yes; http-basic-auth does send the
* password as plaintext over the wire :-( ). The default
* is a sensible \on\, and I personally thing that it is
* a *very-bad-idea* to change this. However a multi
* vendor or international environment (which sometimes
* leads to different crypts functions) might force you to.
*
* Dirk.vanGulik@jrc.it; http://ewse.ceo.org; http://me-www.jrc.it/~dirkx
* 23 Nov 1995, 24 Feb 1996, 16 May 1996.
*
* Version 0.0 First release
* 0.1 Update to apache 1.00
* 0.2 added lines which got missing god knows when
* and which did the valid-user authentification
* no good at all !
* 0.3 Added \Auth_MYSQL_nopasswd\ option
* 0.4 Cleaned out the error messages mess.
* 0.6 Inconsistency with gid/grp in comment/token/source
* Make sure you really use \Auth_MYSQLgrp_field\ as
* indicated above.
* 0.7 *host to host fixed. Credits go to Rob Stout,
* <stout@lava.et.tudelft.nl> for spotting this one.
* 0.8 Authoritative directive added. See above.
* 0.9 palloc return code check(s), should be backward compatible with
* 1.11 version of Vivek Khera <khera@kciLink.com> mysql module,
* fixed broken err msg in group control, changed command table
* messages to make more sense when displayed in that new module
* management tool. Added EncryptedPassword on/off functionality.
* mysql_close() statements added upon error. Support for persistent
* connections with the MySQL database (riscy). Escaping of \ and \.
* Replaced some MAX_STRING_LENGTH claims.
* 1.0 removed some error check as they where already done elsehwere
* NumFields -> NumRows (Thanks Vitek). More stack memory.
* 1.1w Converted to use MySQL instead of mSQL
* 1.1 no logging of empty password strings.
* 1.2 Problem with the Backward vitek which cause it to check
* even if mysql_auth was not configured; Also more carefull
* with the authoritative stuff; caught by thomas@marvin.calvacom.fr.
* 1.3 Even more changes to get it right; that BACKWARD thing was a bad
* idea.
* 1.3w Fixes by monty and merge to new version.
* 1.4 Fixes by tlm and gwyn to add msql_connect() args and cleanup
* compile warnings.
*/
#define ONLY_ONCE 1
/*
* If the MySQL table containing the uid/passwd combination does
* not have the uid field as a primary key, it is possible for the
* uid to occur more than once in the table with possibly different
* passwords. When this module is compiled with the ONLY_ONCE directive
* set, access is denied if the uid occures more than once in the
* uid/passwd table. If you choose not to set it, the software takes
* the first pair returned and ignores any further pairs. The SQL
* statement used for this is
*
* \select password form pwd_table where user=\uid\
*
* this might lead to unpredictable results. For this reason as well
* as for performance reasons you are strongly adviced to make the
* uid field a primary key. Use at your own peril :-)
*/
#undef KEEP_MYSQL_CONNECTION_OPEN
/*
* Normally the (tcp/ip) connection with the database is opened and
* closed for each SQL query. When the httpd-server and the database
* are on the same machine, and /dev/mysql is used this does not
* cause a serious overhead. However when your platform does not
* support this (see the MySQL documentation) or when the web server
* and the database are on different machines the overhead can be
* considerable. When the above is set defined the server leaves the
* connection open; i.e. no call to mysql_close(). If an error occures
* an attempt is made to re-open the connection for the next http-rq.
*
* This has a number of very serious drawbacks
* - It costs 2 already rare filedescriptors for each child.
* - It costs mysql-connections, typically one per child. The (compiled in)
* number of connections MySQL can handle is low, typically 6 or 12.
* which might prohibit access to the MySQL database for later
* processes.
* - when a child dies, it might not free that connection properly
* or quick enough.
* - When errors start to occur, connection/file-descr resources might
* become exausted very quickly.
*
* In short; use this at your own peril and only in a highly controled and
* monitored environment
*/
|
