[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security fix that started all this

On Fri, 2006-09-08 at 15:43 -0400, Christopher Murtagh wrote:
>  The plan is to move all the files in users/ into a central database,
> and the same for user modified templates and css. The advantages this
> has are:

OK, so where do you plan to store the DB authentication information? Or
do you plan to give every user their own DB account? Or do you plan to
just have one DB account for all the companies in a installation?

> - the server doesn't need file permissions anywhere anymore

I'm not a big fan of this situation either.

> - a goof in an apache config won't expose members or username.conf

That's why I always move the userdir outside of the web root.

> - portability issues in dealing with filesystems (allowed chars, case,
> etc..) are all gone

That would be nice. But moving the info into the DB isn't necessarily
the solution.

> Also, we can move to a plugable authentication and support other
> mechanisms (LDAP, Basic HTTP Auth, Kerberos, etc..) and store user
> data in the db.

The question still stands: Do we really want server side _per session_
or was it just the way that seemed easiest to solve the problem at hand?

Tony Fraser
Sybaspace Internet Solutions                        System Administrator
phone: (250) 246-5368                                fax: (250) 246-5398