[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] neomail on RAQ02
- Subject: RE: [cobalt-security] neomail on RAQ02
- From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
- Date: Tue, 27 Nov 2001 20:45:15 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Matthew Nuzum wrote:
>
> > Well, I don't use neomail myself, but if you want to restrict access
to
> > user's of a particular site, you should be able to use one of the
auth
> > mod's cobalt has built into apache.
>
> Hmmm... might work. Can I put more than one group into the require
> line? And if so, what do I need in the Authname line? neomail uses
> only one directory for all sites, so if I couldn't, I'd be limited to
> only one site (or I'd have to create a new group and manually put all
> the sites I wanted to be able to use neomail into it, and then hope
that
> the cobalt sauce never writes over it.
>
The short answer is "I don't know". Following is the digital
equivalent of rambling. Go ahead and read it though, there might be a
workable solution.
----
I don't use mod_perl myself, but it sounds like that is the thing to use
here. Let me make sure that I understand the details though.
There is one installation of neomail, and it is probably set up as a
<Location> in apache's config file, right?
If so, then I wouldn't use the .htaccess. As a matter of fact, I would
probably just sneak into cobalt's code for the "Siteadmin" location and
figure out what they do. Somehow they have to figure out which site the
user is trying to log into.
But I believe that mod_perl allows the rewriting or configuration on
demand, right? So your auth code could go into the <Location>
directive.
Ahh... I just peeked at it. Their stuff is a little too convoluted for
this. No offense, it's just a much more difficult solution than this
situation warrants.
So without writing some additional code, there's not much that can be
done. If you happen to like code however...
Here is a simple little bit of pseudo code I (meaning you) might add to
the auth. First, I have to say this assumes that you haven't broken the
cobalt's rewriting rules. For example, if you're official (as far as
Raq is concerned) domain name is www.domain.com, and you type
domain.com, Raq typically redirects you to www.domain.com. Therefore,
this pseudo code assumes that the URL in the browser's address bar is
the official url for the virtual site. (regardless of DNS et al).
- get the domain name from the requested url.
- check to see if exists /home/sites/$DOMAIN/users/$USER
- authenticate the user
- if step 2 fails, step 3 doesn't need to be tested. So it doesn't
matter if the user has a valid name and password on the server. If
/home/www.domain.com/users/myname doesn't exist, then the user is not
valid for this site.
Really, this doesn't sound too difficult. That's probably all of 3
lines of perl. (but I'll bet someone could do it in one)
For reference, the orginal code proposed for the htaccess file is below.
# Access file
order allow,deny
allow from all
require group site1
Authname "Some name for the protected space"
Authtype Basic
Matthew Nuzum
followers.net