Re: using PAM for authentication
From: Reinhard Eilmsteiner (news-stuff_at_eilm.at)
Date: 04/22/04
- Next message: The King of Pots and Pans: "contract work vs employment"
- Previous message: Barry Margolin: "Re: Shared memory and semaphore synchonization"
- In reply to: William Ahern: "Re: using PAM for authentication"
- Next in thread: William Ahern: "Re: using PAM for authentication"
- Reply: William Ahern: "Re: using PAM for authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 22 Apr 2004 20:35:14 +0200
Hi Bill!
I agree that OS services are usually tested thoroughly enough to rely on
their security.
But:
Security: If you create an OS user account for each user in your
web-application (and there can be many of them), these user may gain
rights to the system they don't really need. So the chance that if your
application has some security-related bug the user may be logged in to
your application server. This is something I really don't like when I'm
talking about >100 users. If the user can crash the application that's
one thing. If he can try "su" that's another.
Maintenance: Big applications usually define their own life-cycle for
users which has some influence on the authentication procedure. Example:
Some user signs in to your application: A user is created, but remains
inactive until a mail sent by the application is replied, some link is
requested, whatever. Then the user gets activated through the
application. In order to be able to do this kind of operation on the
*nix you have to be root. So some process of the application must be
able to su or have some sudo kind of access to the user administration
of the system. => No good.
Portability: If my users are in some kind of database of its own, I
don't have to care about operating system stuff when I take the
application and deploy it on some new system. You also don't have to
deal with the network security staff, who are always reluctant to change
anything in a living (productive) environment. The application also
gains some more independence from the os flavour, as it is a little more
decoupled.
I don't know who of us is right. Most probably this decision has to be
made for each and every case and the result will differ with different
requirements.
Regards,
Reinhard
- Next message: The King of Pots and Pans: "contract work vs employment"
- Previous message: Barry Margolin: "Re: Shared memory and semaphore synchonization"
- In reply to: William Ahern: "Re: using PAM for authentication"
- Next in thread: William Ahern: "Re: using PAM for authentication"
- Reply: William Ahern: "Re: using PAM for authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
