I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.
And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use.
Let me explain the desired end result:
- User accounts (that do not map/tie to an OS account) will be created on the web app
- Typical web app authentication/authorization (with 2FA/MFA)
- User accounts will map to read/write file-system permissions tied to an OS account
- This mapping should be maintained and administered on the server outside of the web app
- This is something a server admin would do somewhere **on the OS**
- The idea being that users will be able to read/write files on the server as though they are the associated OS account
- The hope is the user will have two security gates they'll have to authorize through: the web app and the OS (**something the web app doesn't know**)
Here is a more detailed example:
- OS has two human interactive accounts: osuser1 and osuser2
- OS has one non-human non-interactive account that Apache will run as: www-data
- web app has three human interactive accounts that users will log in with (using their web browser): webuser3, webuser4, webuser5
- the accounts in the web app are permissioned on the OS level like this:
- webuser3 can:
- read files in /home/osuser1 as osuser1
- read and write files in /home/osuser2 as osuser2
- webuser4 can:
- read and write files in /home/osuser1 as osuser1
- webuser5 can:
- write files in /home/osuser2 as osuser2
- this web app user to OS user permission mapping should be maintained on the OS, outside of the web app
How I would like it to work:
- user logs in to web app (webuser3, webuser4, webuser5)
- user interacts with the UI to list files or create a file in some folder
- the web app will ask for additional authentication/authorization information, like a PW and/or 2FA/MFA code
- the web app will send information to the OS:
- the additional authentication/authorization information
- the ID of the web app user
- what they want to do (read or create)
- the OS will authorize the action and send it back to the web app
Now, Apache is running as
www-data so it won't, by default and without messing with file/folder permissions, have any access to
/home/osuser#. One way I can think of accomplishing the above is to give
www-data passwordless
sudo privileges (either as
root or the OS accounts
osuser1 and
osuser2) so it can do things as the OS accounts. I don't like this because if the system is compromised and a bad actor gains access to
www-data account then they will also be able to use
sudo to do things as the OS accounts
/home/osuser#. And also, this way would require the web app to maintain the web app user to OS user permission mapping.
Obviously the OS is not aware of the web app accounts (
webuser3,
webuser4,
webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions.
And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key.
I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility.