>Number: 988
>Category: general
>Synopsis: suggestion: option to check permissions via os-userbase
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: change-request
>Submitter-Id: apache
>Arrival-Date: Mon Aug 11 09:00:07 1997
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: any
>Environment:
Linux 2.0.30 i486
>Description:
i hope the bugreport page is correct for suggestions - at least that's what the
faq said... :)
i've been struggeling with my apache httpd (*ix) for a while now and found out
that there's a powerful feature missing.
a security-system that uses the os' userbase and permissions. i.e.:
e.g. if the following file is requested:
-rw-r----- 1 root users 13722 Apr 25 01:28 /foo/bar.html
it can't be read by the default apache user, say wwwrun with nogroup. so apache
sends a uid/pwd-query window and checks the input against the os' userbase. if
the input was correct, apache changes to the user's uid and tries to execute
the request with the user's permissions. if not -> uid/pwd-query window, and so
on...
the same would work great with cgi-binaries (i'm dreaming of the possibilities
i'd have together with web/cgi-interfaced sql-databases... *sigh* :) ).
i think such a totally os-transparent user/permission scheme would make life
much easier, more comfortable and much more straightforward for httpd-admins...
>How-To-Repeat:
>Fix:
implement it as an optional permission-checking- and authorization-scheme. :%2
>Audit-Trail:
>Unformatted:
