CERN httpd - Protection passwords and groups

Nigel Metheringham <nigelm@ohm.york.ac.uk>

Mail folder: WWW Talk Apr 94-present
Next message: Rainer Klute: "Re: Including files "
Previous message: John C. Mallery: "Including files"

Errors-To: listmaster@www0.cern.ch
Date: Thu, 9 Jun 1994 13:37:38 +0200
Errors-To: listmaster@www0.cern.ch
Message-id: <m0qBiM6-000E9cC@rioja.ohm.york.ac.uk>
Errors-To: listmaster@www0.cern.ch
Reply-To: nigelm@ohm.york.ac.uk
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: Nigel Metheringham <nigelm@ohm.york.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: CERN httpd - Protection passwords and groups
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas


The current protection scheme in the CERN httpd uses unix like passwd
and group files.  These are sequentially read on each protected access
check - which could be a problem if you have large numbers of users in
these databases.

Like many sites, much of the stuff we might want to protect would be
protected at a relatively low level, and be available to large subsets
of our users.  We use NIS for distributing authorisation info (bad
idea I know).

I'd like to be make a change to the httpd protection stuff to enable
other sources of authorisation info than flat files.  The sort of
change I was wondering about was to change the spec for the passwd &
group files to allow this sort of spec:-

	PasswordFile	/some/flat/file		# ie as present
	PasswordFile	//nis:nis_map_name	# use NIS map nis_map_name
	PasswordFile	//dbm:/dbm/file/spec	# DBM hashed password file
	PasswordFile	//netinfo:/net/in/spec	# NeXT netinfo

[not sure about the netinfo - since it is richer than NIS it could
present more problems...]  Group file specs would look similar.

The main advantages this would give is keyed lookups (saving in time
when accessing auth info), flexibility - you can keep info in (say)
NIS, and it doesn't *have* to be just in a NIS system passwd file.

As an extension to this, NIS netgroups could also be used to control
access - both for hosts and users.  However this needs slightly more
serious mods to the appropriate areas of httpd.

[Pause while dons asbestos underware]
Any comments on this please....?

	Nigel.

--
- Nigel Metheringham  --  EMail: nm4@unix.york.ac.uk nigelm@ohm.york.ac.uk -
- System Administrator, Electronics Dept, University of York, York YO1 5DD -
- Tel: +44 904 432374, Fax: +44 904 432335 | PGP key available from WWW    -
- WWW: http://www.amp.york.ac.uk/~nm4/     |                               -