All the Perl that's Practical to Extract and Report

TinyAuth Step 1 - Apache::Htpasswd::Shadow

Alias on 2007-05-10T05:12:16

With svn set up properly now, and the code flowing again, it's time to start looking at how to write the repository manager (codename TinyAuth).

The first problem is that I'm fairly conservative when it comes to permissions.

I like to stick to the default security model, and avoid setuid bits or chroot jails, since I'm a crap admin and this sort of stuff can be a bit mysterious to me (and thus I presume mysterious to many people)...

And yet my little CGI script needs to be able to update the permissions for people, ideally WITHOUT having to use a database at all.

And that means treating the htpasswd file as a primary data store.

Which creates a problem, since I most certainly DON'T want to allow the web user the ability to go wandering about the locations where security information is kept with write permissions.

So to resolve this, I'm going to go with the shadow file approach.

Apache::Htpasswd::Shadow is a wrapper about Apache::Htpasswd that adds the ability to set a shadow file which is writable by the web user.

If you open the htpasswd file with Apache::Htpasswd::Shadow, it will create a copy of the file in a location it can write to, and apply changes to it there.

If you open ReadOnly, if will read from the shadow file. If you open readonly with no shadow file existing, it just reads from the main passwd file and doesn't need a shadow.

Otherwise it looks identical.

A separate cron job which runs as the user owning the password file does some additional checking will run every 5 minutes or so and apply the changes in the new version to the main passwd file.

This should, I hope, provide some element of separation security wise, without the need to resort to operating system level (and thus operating system specific) measures and allow TinyAuth to work on just about anything that can support CGI and file permissions.

Bug tracker address

Aristotle on 2007-05-10T11:18:36

Are you sure this is what you wanted to write?

If you cannot provide a direct test or fix, or don’t have time to do so, then regular bug reports are still accepted and appreciated via the CPAN bug tracker.

http://rt.cpan.org/NoAuth/ReportBug.html?Queue=Module-Inspector

Re:Bug tracker address

Alias on 2007-05-10T15:25:49

Gah, stupid cut and paste :)

I need to get ADAMK::Starter finished so I don't keep making this mistake.