Authenticating Web Users against Linux Accounts.

demia · 05-15-2009, 11:40 PM

I have a web project where I have to give each user a home directory and control over their files (hosting company).

But this time, they have only access via a web-file management tool (no ssh or ftp).

So we have a database of course where we keep login information, but at the same time, I have to create unix account for users and give total control over their files, so that they can do whatever they want with their home-dir, of course not messing up with the server and other peoples files.

To get this done, my apache should authenticate against linux accounts (/etc/passwd or /etc/shadow), and change the web user into that system account (that's all i know, if there is a better way to achieve this please tell me)

For this purpose, I found, mod_auth_pam, mod_auth_shadow, mod_authz_external to use. I couldn't quite figure out how to use them yet, first I wanted to make sure I am on the right path.

I also read that there are a lot of security issues around this setup, so I'm a little worried as well.

I'd appreciate your take on this, ideas or your experience.

Thanks a lot,
D

stress_junkie · 05-16-2009, 11:40 AM

http://www.faqs.org/docs/Linux-HOWTO...TO.html#AEN305

Your concerns about security are well founded. This is a kludge. Nevertheless and surprisingly this seems to be the only viable way to use Linux user accounts to authenticate web sessions. I wish that I had better news. It's difficult for me to believe that this issue has not been addressed better by now.

demia · 05-16-2009, 12:03 PM

what about this ?

http://www.cablan.net/phpsuexec.html

estabroo · 05-16-2009, 01:22 PM

Instead of creating real accounts you might want to use virtual ones with ftp access, they'd be locked into their home directory and have complete access in it, but would be unable to go anywhere else in the system. When I worked at an isp we did this for our customer's personal web pages. I think several different ftp programs (like proftpd) offer this kind of thing, including quotas for disk space.

estabroo · 05-16-2009, 01:25 PM

What about using ftp for managing the home directory access and using virtual accounts instead of real ones. ftp programs like proftpd (and I'm sure others) offer virtual accounts with quotas. It restricts the user's access to the "home directory" area they've been given. When I worked at an ISP we did this for customer's personal web pages and it worked great.

demia · 05-16-2009, 01:29 PM

i think here is the answer to this problem: http://blog.stuartherbert.com/php/20...shared-server/

demia · 05-16-2009, 06:09 PM

And this is THE solution (at least for me):
http://blog.stuartherbert.com/php/20...shared-server/

hope to be of help to others..