Home > Archive > Unix Programming > September 2004 > Associate Unix User Account with Server
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Associate Unix User Account with Server
|
|
| Kushal Agarwal 2004-09-20, 9:02 pm |
| Hello,
I was wondering, how can I associate unix user accounts to work with
various servers, such as Database servers, Administration servers,
etc.
Additionally what interface does unix provide for this type of
association?
Thanks,
Kushal
| |
| Pascal Bourguignon 2004-09-20, 9:02 pm |
| kushal.agarwal@gmail.com (Kushal Agarwal) writes:
> Hello,
>
> I was wondering, how can I associate unix user accounts to work with
> various servers, such as Database servers, Administration servers,
> etc.
>
> Additionally what interface does unix provide for this type of
> association?
The normal user and group, and file access rights.
Assume a web server for example.
You create a user account and a group for this web server, so you have
for example, the following entries:
In /etc/group:
web:x:124:
In /etc/passwd:
web:x:1240:124:Web Server:/usr/lib/web:/bin/false
You launch the server (in your rc or init.d files) with:
su web /usr/bin/webserver
All the web server files should be readable by web:
chgrp -R web /usr/lib/web
chmod -R 640 /usr/lib/web/*
chmod 1775 /usr/lib/web
Web administrator should be given write access to the web files. He
may even be their owner. Assume he will be webadm.
In /etc/passwd:
webadm:x:1241:124:Web Administrator:/home/webadm:/bin/bash
chown -R webadm /usr/lib/web
Now, when you access a page of the web server, it may manage access
rights. See for example .htaccess in apache. But this is entirely up
to the server.
Each server may manage its own access rights and "users". Sometimes,
there's an intersection between the "users" managed by a server and
the unix users, but it's not always the case.
For example, when users want to connect to a mysql database "locally",
they first log in on a unix user account. Normally, the 'mysql'
command is executable by all users, so they can use it. mysql itself
manages its own user accounts, which means that the user have to give
a user name and a password, specific to mysql. It's possible to
configure mysql to accept to serve local unix users, but it's not
usually done.
So, unix does not provide anything more than users, groups and file
permissions. The rest is up to the specific server program.
--
__Pascal Bourguignon__ http://www.informatimago.com/
Our enemies are innovative and resourceful, and so are we. They never
stop thinking about new ways to harm our country and our people, and
neither do we.
| |
| SM Ryan 2004-09-21, 9:04 am |
| kushal.agarwal@gmail.com (Kushal Agarwal) wrote:
# Hello,
#
# I was wondering, how can I associate unix user accounts to work with
# various servers, such as Database servers, Administration servers,
# etc.
Each unix machine has the same file mode/user/group protection, and
you can force user and group names to have the same ids on each machine.
Various applications sometimes have their own notion of users defined
independently of the unix users. A MySQL server, for example, has its
own user lists stored inside of it.
--
SM Ryan http://www.rawbw.com/~wyrmwif/
I have no respect for people with no shopping agenda.
| |
| Kushal Agarwal 2004-09-21, 3:58 pm |
| > Various applications sometimes have their own notion of users defined
> independently of the unix users. A MySQL server, for example, has its
> own user lists stored inside of it.
The problem is that I don't want the application to store its own list
of users inside it, rather, it should use the list already defined in
the UNIX network. So is there any interface that UNIX provides to
allow the application to access the UNIX user accounts/authentication
procedures.
Kushal.
| |
| Jens.Toerring@physik.fu-berlin.de 2004-09-21, 3:58 pm |
| Kushal Agarwal <kushal.agarwal@gmail.com> wrote:
[color=darkred]
> The problem is that I don't want the application to store its own list
> of users inside it, rather, it should use the list already defined in
> the UNIX network. So is there any interface that UNIX provides to
> allow the application to access the UNIX user accounts/authentication
> procedures.
What's "in the UNIX network"? The same user can have different names,
different user IDs and group IDs on different machines. If you want
to know a users ID or group ID etc. on the machine your program is
running on there are several functions to find out about them - if
you know the user name you can use getpwnam() to find all that infor-
mation about a user. If you know the user ID use getpwuid() to find
out the other information about the user. If you want to know about
all users on the machine use getpwent() repeatedly.
If this doesn't help you try to give a reasonable description of
what you want to do, what you have written until now doesn't make
too much sense to me - I have no idea what you may mean when you
write something about "associate unix user accounts to work with
various servers".
Regards, Jens
--
\ Jens Thoms Toerring ___ Jens.Toerring@physik.fu-berlin.de
\__________________________ http://www.toerring.de
| |
| Pascal Bourguignon 2004-09-21, 8:57 pm |
| kushal.agarwal@gmail.com (Kushal Agarwal) writes:
>
> The problem is that I don't want the application to store its own list
> of users inside it, rather, it should use the list already defined in
> the UNIX network. So is there any interface that UNIX provides to
> allow the application to access the UNIX user accounts/authentication
> procedures.
UNIX, in general, can be interpreted as POSIX SUSv3.
There, the answer is no, there's no API to do such a thing.
However, on a given system you may find or install services and API to
do whatever you want. For example, you may use PAM (free software,
from Linux) locally, or LDAP on a network. You still have to
configure or patch each server to make them use these accounting
informations.
You have first to define exactly what system you're using and what
servers you want to use.
--
__Pascal Bourguignon__ http://www.informatimago.com/
Our enemies are innovative and resourceful, and so are we. They never
stop thinking about new ways to harm our country and our people, and
neither do we.
| |
| John Gordon 2004-09-21, 8:57 pm |
| In <e9d0a198.0409201246.588c6228@posting.google.com> kushal.agarwal@gmail.com (Kushal Agarwal) writes:
> Hello,
> I was wondering, how can I associate unix user accounts to work with
> various servers, such as Database servers, Administration servers,
> etc.
Individual applications often provide a mechanism (eg a configuration
file) to allow arbitrary userids to interact with the application in
various capacities (user, admin, owner, etc). Other applications require
the use of a predetermined userid.
> Additionally what interface does unix provide for this type of
> association?
As far as I know, there is no standard way to do this. Each
application/server has its own mechanism.
--
John Gordon "Between BST melee, their spells, their warders' melee,
gordon@panix.com and their warders' procs, they put out enough damage
to make monks cry." -- Dark Tyger
| |
| SM Ryan 2004-09-22, 9:09 am |
| kushal.agarwal@gmail.com (Kushal Agarwal) wrote:
# > Various applications sometimes have their own notion of users defined
# > independently of the unix users. A MySQL server, for example, has its
# > own user lists stored inside of it.
#
# The problem is that I don't want the application to store its own list
# of users inside it, rather, it should use the list already defined in
# the UNIX network. So is there any interface that UNIX provides to
# allow the application to access the UNIX user accounts/authentication
# procedures.
You cannot impose an identification scheme on an unwilling application. If an
application was written to use its own scheme, you have to get the source
code and change it, convince the suppliers to change it, or create your
own procedures to read one scheme and write it into the various applications.
Even managing log in information on a network of unices depends on the
particular unices. If you have something like LDAP or Yellow Pages set up,
you can share log in information from a central repository; but not all
unices support such a scheme. And not all sites have someone who can set
it up.
If the network is exposed to malicious hackers, a common identification
scheme is a danger because once you break the key once, you break it
everywhere.
If you are talking about writing your own applications, you can use the
same scheme the login program uses. On systems without a shadow password
file, you can use crypt and getpwnam to check the password. On systems
with a shadow password, linux at least provides library calls to check
a password against the shadow. It's also not that hard to write a setuid
root (assuming you can install it) program you can fork and exec that
does the crypt and then reads /etc/shadow to match. But if you do so in
an insecure environment, you should take responsibility for any passwords
passing through your process space.
--
SM Ryan http://www.rawbw.com/~wyrmwif/
The little stoner's got a point.
| |
| Dragan Cvetkovic 2004-09-22, 4:01 pm |
| Pascal Bourguignon <spam@mouse-potato.com> writes:
[snip]
> However, on a given system you may find or install services and API to
> do whatever you want. For example, you may use PAM (free software,
> from Linux) locally, or LDAP on a network.
Just a nit-pick: PAM was invented by Sun Microsystems.
Bye, Dragan
--
Dragan Cvetkovic,
To be or not to be is true. G. Boole No it isn't. L. E. J. Brouwer
!!! Sender/From address is bogus. Use reply-to one !!!
| |
| Kushal Agarwal 2004-09-22, 4:01 pm |
| Specifically, I have an application which only authorized users should
be allowed to access.
Now one way to do this would be to link the application to a database
with a list of authorized users. However, rather than doing that, I
want the application to check with the UNIX system I have and if the
user is allowed to access the system (therefore the user is
authenticated as an authorized user of my system), they should be
allowed into the application.
Now the trouble is, I can only think of a few ways to do this:
- Using the supplied username/password create a new login, and if a
shell is returned then the user is authorized, otherwise not.
This method however seem somewhat like a hack method to me.
an alternative way would be to use the system calls that the login
script makes to achieve the same purpose. The trouble with that is
that I can't figure out what system calls are made to authenticate a
user.
Kushal
| |
| Nick Coleman 2004-09-23, 8:57 am |
| Kushal Agarwal wrote:
> an alternative way would be to use the system calls that the login
> script makes to achieve the same purpose. The trouble with that is
> that I can't figure out what system calls are made to authenticate a
> user.
>
> Kushal
apropos login provides a few.
Maybe I'm missing the point, but can't you set up a group and allow
execution only for members of that group? If the authorized user list
varies, eg every university semester with a new class, use a script to
add/remove the group for the list of users.
--
Nick
|
|
|
|
|