CERN httpd - Protection passwords and groups
Nigel Metheringham <nigelm@ohm.york.ac.uk>
Errors-To: listmaster@www0.cern.ch
Date: Thu, 9 Jun 1994 13:37:38 +0200
Errors-To: listmaster@www0.cern.ch
Message-id: <m0qBiM6-000E9cC@rioja.ohm.york.ac.uk>
Errors-To: listmaster@www0.cern.ch
Reply-To: nigelm@ohm.york.ac.uk
Originator: www-talk@info.cern.ch
Sender: www-talk@www0.cern.ch
Precedence: bulk
From: Nigel Metheringham <nigelm@ohm.york.ac.uk>
To: Multiple recipients of list <www-talk@www0.cern.ch>
Subject: CERN httpd - Protection passwords and groups
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
The current protection scheme in the CERN httpd uses unix like passwd
and group files. These are sequentially read on each protected access
check - which could be a problem if you have large numbers of users in
these databases.
Like many sites, much of the stuff we might want to protect would be
protected at a relatively low level, and be available to large subsets
of our users. We use NIS for distributing authorisation info (bad
idea I know).
I'd like to be make a change to the httpd protection stuff to enable
other sources of authorisation info than flat files. The sort of
change I was wondering about was to change the spec for the passwd &
group files to allow this sort of spec:-
PasswordFile /some/flat/file # ie as present
PasswordFile //nis:nis_map_name # use NIS map nis_map_name
PasswordFile //dbm:/dbm/file/spec # DBM hashed password file
PasswordFile //netinfo:/net/in/spec # NeXT netinfo
[not sure about the netinfo - since it is richer than NIS it could
present more problems...] Group file specs would look similar.
The main advantages this would give is keyed lookups (saving in time
when accessing auth info), flexibility - you can keep info in (say)
NIS, and it doesn't *have* to be just in a NIS system passwd file.
As an extension to this, NIS netgroups could also be used to control
access - both for hosts and users. However this needs slightly more
serious mods to the appropriate areas of httpd.
[Pause while dons asbestos underware]
Any comments on this please....?
Nigel.
--
- Nigel Metheringham -- EMail: nm4@unix.york.ac.uk nigelm@ohm.york.ac.uk -
- System Administrator, Electronics Dept, University of York, York YO1 5DD -
- Tel: +44 904 432374, Fax: +44 904 432335 | PGP key available from WWW -
- WWW: http://www.amp.york.ac.uk/~nm4/ | -