[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security fix that started all this
- Subject: Re: Security fix that started all this
- From: Tony Fraser <..hidden..>
- Date: Fri, 08 Sep 2006 13:07:34 -0700
On Fri, 2006-09-08 at 15:43 -0400, Christopher Murtagh wrote:
> The plan is to move all the files in users/ into a central database,
> and the same for user modified templates and css. The advantages this
> has are:
OK, so where do you plan to store the DB authentication information? Or
do you plan to give every user their own DB account? Or do you plan to
just have one DB account for all the companies in a installation?
> - the server doesn't need file permissions anywhere anymore
I'm not a big fan of this situation either.
> - a goof in an apache config won't expose members or username.conf
That's why I always move the userdir outside of the web root.
> - portability issues in dealing with filesystems (allowed chars, case,
> etc..) are all gone
That would be nice. But moving the info into the DB isn't necessarily
> Also, we can move to a plugable authentication and support other
> mechanisms (LDAP, Basic HTTP Auth, Kerberos, etc..) and store user
> data in the db.
The question still stands: Do we really want server side _per session_
or was it just the way that seemed easiest to solve the problem at hand?
Sybaspace Internet Solutions System Administrator
phone: (250) 246-5368 fax: (250) 246-5398