OS level role/command based privileged escalation for use with automation via a front-end/back-end process with additional authentication
I want to develop a LAMP web app/solution and after a fair amount of searching I am starting to think it is not possible to do what I want. Not sure how to explain this succinctly so I apologize for the verbosity.
And before I start, I want to stay away from expensive enterprise grade solutions. Hoping for something I can either develop myself (if someone can help with the logic/algorithm of the code I'd need) or something that is free/open-source. At worst, if I have to pay a license for personal use that is fine too. Basically looking for something for personal use. Let me explain the desired end result:
Obviously the OS is not aware of the web app accounts (webuser3, webuser4, webuser5) and I don't want to have to create matching accounts on the OS. The hope is to use some OS tool/library to do the mapping. Something that would have an internal configuration of external accounts (the ones coming from the web app). Maybe using roles or profiles. So on the OS, in this tool/library, a role/profile/account is created that matches the web app accounts and then given permissions. And, the tool/library should support additional authentication/authorization. Something that could be passed, securely, using an API or via command line parameter. This breaks authorization/authentication into two places: the OS and the web app, each having half the key. I realize this is one hell of an absurd ask but I don't want to give up the idea without fully vetting the possibility. |
does it need to be a GUI?
because this sounds a lot like ssh. maybe gui frontends to ssh exist? |
Having users log in to web apps and then have permissions in OS /home directories is probably do-able, but, if the /home directories are also accessible by the "real" OS users via ssh or sftp, then things get pretty complicated.
Usermin is a web application (with it's own built-in webserver) that gives administrative control of functionality to do things like up and download user-owned files, change passwords, pretty much whatever the admin wants to allow. Login is as the OS user. Authentication is already built-in. The administration is done from Webmin. It may provide what you're asking for already. I could say better if we knew why you're asking. Otherwise Webmin itself can be configured to allow certain tasks. We use it to give one customer access to add and delete email accounts for their domain. Again, if we knew what problem you're trying to solve (as opposed to helping you with your idea of a solution) we could say better. Don't get me wrong. What you suggest is probably doable...but I'd want to first see if Usermin or Webmin could do what you want, first. |
Quote:
|
Quote:
|
All times are GMT -5. The time now is 12:36 AM. |