Beefy Boxes and Bandwidth Generously Provided by pair Networks
laziness, impatience, and hubris

Re: Security, root and CGI?

by DrHyde (Prior)
on Jan 29, 2009 at 11:39 UTC ( #739869=note: print w/replies, xml ) Need Help??

in reply to Security, root and CGI?

It makes sense. In fact it's quite common to do this, although with authentication in the CGI. The one change I'd make is that instead of doing authentication in both the CGI and the root daemon, I'd only do it in the root daemon, and have the CGI ask it what actions a particular user can perform so that it can present the right options to him. Then, obviously, when the CGI actually submits a job to the root daemon, the daemon needs to authenticate it again.

I'm not sure that you can guarantee that communications are coming from a particular process. But then, provided that you authenticate before performing each action as root, that shouldn't matter. If someone manages to talk to your process in a way you didn't expect, then if they can't authenticate that's great, if they can - well, so what? They could just as easily authenticate through your web interface.

You might even find it useful to have several ways of communicating with the daemon - for example, occasional users might use a web site, more frequent users might have a command line interface.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://739869]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (7)
As of 2018-05-24 18:39 GMT
Find Nodes?
    Voting Booth?