Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Alias (5735)

Alias
  (email not shown publicly)
http://ali.as/

Journal of Alias (5735)

Thursday May 10, 2007
12:12 AM

TinyAuth Step 1 - Apache::Htpasswd::Shadow

[ #33240 ]

With svn set up properly now, and the code flowing again, it's time to start looking at how to write the repository manager (codename TinyAuth).

The first problem is that I'm fairly conservative when it comes to permissions.

I like to stick to the default security model, and avoid setuid bits or chroot jails, since I'm a crap admin and this sort of stuff can be a bit mysterious to me (and thus I presume mysterious to many people)...

And yet my little CGI script needs to be able to update the permissions for people, ideally WITHOUT having to use a database at all.

And that means treating the htpasswd file as a primary data store.

Which creates a problem, since I most certainly DON'T want to allow the web user the ability to go wandering about the locations where security information is kept with write permissions.

So to resolve this, I'm going to go with the shadow file approach.

Apache::Htpasswd::Shadow is a wrapper about Apache::Htpasswd that adds the ability to set a shadow file which is writable by the web user.

If you open the htpasswd file with Apache::Htpasswd::Shadow, it will create a copy of the file in a location it can write to, and apply changes to it there.

If you open ReadOnly, if will read from the shadow file. If you open readonly with no shadow file existing, it just reads from the main passwd file and doesn't need a shadow.

Otherwise it looks identical.

A separate cron job which runs as the user owning the password file does some additional checking will run every 5 minutes or so and apply the changes in the new version to the main passwd file.

This should, I hope, provide some element of separation security wise, without the need to resort to operating system level (and thus operating system specific) measures and allow TinyAuth to work on just about anything that can support CGI and file permissions.

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.