[3515] in WWW Security List Archive
Warning Re: REMOTE_USER
daemon@ATHENA.MIT.EDU (David W. Morris)
Tue Nov 12 16:14:38 1996
Date: Mon, 11 Nov 1996 22:03:39 -0800 (PST)
From: "David W. Morris" <dwm@xpasc.com>
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.961111053353.3393B-100000@sol.star.bris.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 11 Nov 1996, Steff Watkins wrote:
> On Fri, 8 Nov 1996, Andrea Di Fabio wrote:
>
> > Has anyone successfully got this ENV variable to return something ??
> > If so, let me know how.
> >
> > I have also tried to runas the apache 1.1.1 server from inetd,
> > and got the username to appear in the tcpwrappers ... but I did
> > not have any luck with SSI or CGI $ENV{'REMOTE_USER'}
>
> Hello Andrea,
>
> I have had this problem earlier with the NCSA webserver. However I found
> that, with the NCSA webserver, I could use the REMOTE_USER environment
> variable if I configured my webserver with the following parametr in
> httpd.conf:
>
> IdentityCheck On
This is a very bad idea in general. First it is at best a performance
problem. But worse, many hosts do not run the daemon required to
respond to the request that results from this configuration option.
This often results in a (ICMP) response which some TCP/IP implementations
use to reset ALL connections to/from the host which requested
the unsupported service. So your webserver can end up with many
unexpected broken connections.
Dave Morris
