Re: More questions on security.
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.lang.php archive

Re: More questions on security.

From: Colin McKinnon <colin.deletethis@andthis.mms3.com>
Date: Fri Jul 15 2005 - 11:10:38 CEST




> "Phil Coen" <nobody@nowhere.com> wrote in message


> news:e5ydncAmHY4WrErfRVn-jw@giganews.com...


>> The method that I am trying now is to put everything past the login


>> module into a subdir, put authorized users into a Linux group, and give


>> access to


>> that group.  But so far the examples of passing the user and password


>> from


>> PHP to the Linux server aren't working.  



hrm. "passing the user and password from PHP to the Linux server"



Can you elucidate wht you mean by this ? My guess would be that you are


trying to authenticate the user using the standard authentication systems


on a Linux server. However 'standard' is a very badly defined target. Most


Linux (most Unix) daemons use PAM for authentication, and can support users


stored in LDAP, local files, databases, NIS maps....



IIRC there was a PAM PECL in development but I've lost track of it and ended


up writing my own C wrapper program (which also solves the setuid problem).


But for many pruposes it may be simpler to use the POP/IMAP functions to


verify the credentials.



What exactly is the problem? How are you trying to 'authenticate'?



Aidan wrote:


> 1. Present a (secure) form, asking for a user/pass pair


> 2. Check this user/pass pair against a list of user/pass pairs.  I usually


> store them in a database, but a flat file will work too.


> 3. If a match is found, start a session for the user with an


> 'Authenticated' flag.


> 4. Each page they subsequently access looks for this 'Authenticated' flag


> in


> the session.  If it exists every thing is OK, and you can deliver them the


> content... but if it doesn't exist, redirect the user the the login form


> (step 1), and pass the URI they tried to access to the login page.  If


> they login successfully, redirect them to the page they initially


> requested.



So Aidan's doing it all in PHP. The problem with this approach is that 



1) storing passwords - or password equivalents - unhashed is not generally


considered good security practice.



2) you don't get the benefit of all the tools available for account


management which can be applied to an NSS/PAM based system



having said that, it can be an advantage to maintain a stretch of 'clear


blue water' between the users whom access the website, and the conventional


users.



C.


Received on Mon Oct 17 21:07:47 2005