Re: using PAM for authentication
From: William Ahern (william_at_wilbur.25thandClement.com)
Date: 04/22/04
- Next message: SysAdmin_at_ed.shawcable.net: "IMPORTANT ANTI VIRUS INFORMATION"
- Previous message: Alan Balmer: "Re: contract work vs employment"
- In reply to: Reinhard Eilmsteiner: "Re: using PAM for authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 22 Apr 2004 14:57:27 -0700
Reinhard Eilmsteiner <news-stuff@eilm.at> wrote:
> Hi Bill!
>
> I agree that OS services are usually tested thoroughly enough to rely on
> their security.
>
> But:
> Security: If you create an OS user account for each user in your
> web-application (and there can be many of them), these user may gain
> rights to the system they don't really need. So the chance that if your
> application has some security-related bug the user may be logged in to
> your application server. This is something I really don't like when I'm
> talking about >100 users. If the user can crash the application that's
> one thing. If he can try "su" that's another.
That's an authorization problem:
chsh -s /sbin/nologin jsmith
> Maintenance: Big applications usually define their own life-cycle for
> users which has some influence on the authentication procedure. Example:
> Some user signs in to your application: A user is created, but remains
> inactive until a mail sent by the application is replied, some link is
> requested, whatever. Then the user gets activated through the
> application. In order to be able to do this kind of operation on the
> *nix you have to be root. So some process of the application must be
> able to su or have some sudo kind of access to the user administration
> of the system. => No good.
Some part of any application has to have privleges to alter user accounts.
And even on Unix that needn't necessarily be a process w/ global (root)
privileges. So if the argument is that you can more easily handle privileges
(i.e. authorization) then you can do the same w/ OS services.
> Portability: If my users are in some kind of database of its own, I
> don't have to care about operating system stuff when I take the
> application and deploy it on some new system. You also don't have to
> deal with the network security staff, who are always reluctant to change
> anything in a living (productive) environment. The application also
> gains some more independence from the os flavour, as it is a little more
> decoupled.
LDAP ;) (or Active Directory or whatnot)
Indeed, staff do not like anything new added to their plate. And from that
perspective often one can more easily leverage the tools and processes
already in place by using OS authentication services. Otherwise, the new
user account management component of the next great web services application
might not receive any quality attention. Technology is no substitute for
staff and standards. The fewer components to manage--and higher quality
management--the better.
> I don't know who of us is right. Most probably this decision has to be
> made for each and every case and the result will differ with different
> requirements.
Absolutely.
Cheers,
Bill
- Next message: SysAdmin_at_ed.shawcable.net: "IMPORTANT ANTI VIRUS INFORMATION"
- Previous message: Alan Balmer: "Re: contract work vs employment"
- In reply to: Reinhard Eilmsteiner: "Re: using PAM for authentication"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
