Hrm, certainly some interesting notes here. I was outside the List
talking with Jim Lawson with some of his ideas that could've possibly
helped, if it weren't for my unique situation.
We're talking maybe around one hundred PHP documents? But jumble in some
photos, PDF's, Word Documents, etc. into it, I would say close to one
hundred non-PHP as well then... as it would be a staff resources page...
there would be interactive web-based PHP forms that add database
information, as well as send emails... or downloadable forms/documents
that are useful. On top of that there would be certain directories or
folders where only specific members of subgroups could have access....
so it gets very confusing for someone on the outside that doesn't
necessarily see the directory tree/group model.
I will be updating this database myself, as well as a few other members
of our staff that is in the IT team, and perhaps one or two others we
show how it works and allow them to do it (the management itself is PHP
based as well) ... the people who are allowed rights to the editing of
the directory are authenticated by who they are logged in as using my
current LDAP auth scheme. Which will change if I switch over to htaccess.
However, my most recent development was using PHP to connect via SFTP
and overwrite the htaccess file based on the results from the database.
I found some code quickly that looks like it might work, I'll have to
test it of course:
$connection = ssh2_connect('shell.example.com', 22);
ssh2_auth_password($connection, 'username', 'password');
$sftp = ssh2_sftp($connection);
$stream = fopen("ssh2.sftp://$sftp/path/to/file", 'r');
The idea is then I will be authenticated as our web directory user
(rlweb) and therefore don't worry about the obvious security hole of
having a publicly writable htaccess.
The /admin/ folder within the application that allows for editing of the
mysql database to add/remove users to the directory can have an htaccess
file too which I will manually edit to allow the 4-5 users that will
have access to editing the database.
On top of this... we won't be asking for NetID's and passwords like my
previous LDAP authentication scheme did... obviously the general
preferred method is with htaccess, so I'd like to evolve my application
to do so.
Thanks for everyones continued help on this by the way.
Wesley Alan Wright wrote:
> 1) How many non-php documents are in the protected space? can you
> "phpize" them, such that your LDAP authorization scheme DOES protect
> everything? Then you can open Authentication to all.
> 2) Who or what updates this database? If you are using a web
> application to perform the updates, you can have that same application
> update .htaccess every time someone uses the webapp to update the
> database. A byproduct of .htaccess authentication is that the
> authenticated PHP script has write access to the file system as that
> authenticated user.
> The problem here is that you'll need either one Authoritative NetID by
> which everyone who performs the updates authenticates, or ask SAA to
> relax SAFE mode to GUID (Group ID) for that directory. Then any
> authenticated ID in group whatever can have write access to .htaccess
> (provided tou have all the right file permissions and unix group
> assignments and all that).
> The latter method is preferred, but it has another limitation:
> somebody now has to administer the group. This would need to be
> restricted to a small group of stable members outside the list of
> people that get moved in and out of the .htaccess files.
> Tricky no matter what you do. Do you really need all this privacy and
> security? "You have zero privacy anyway, so Get Over It." Scott
> McNealy (Sun Microsystems, 1999)
> On Jul 20, 2009, at 2:21 PM, Tyler Whitney wrote:
>> Tyler Whitney wrote:
>>> We use this combination of things in other areas... however, the
>>> scope of our project does not allow for the use of such things in
>>> Really the systems are already built, the real immediate concern is
>>> finding a way to auto-update our .htaccess files when the database
>>> is updated... without having to manually edit them. I'm not sure if
>>> someone has a good way... but I'm sure it could be done without
>>> cron... it just means my PHP script must be able to write to the
>>> .htaccess files. I have written a PHP authentication script that
>>> authenticates off of our LDAP and then checks and makes sure they
>>> are in our internal database... the problem is that it only protects
>>> PHP files and not entire directories... which is why we decided to
>>> go with the .htaccess.
>>> Thanks for any more ideas anyone might have.
>>> Steve Cavrak wrote:
>>>> Have you considered using Active Directory + Sharepoint + Access
>>>> ... it's possible the whole work flow would be smoother ... both
>>>> for the developers, the users, and the managers ...
> | Wesley Alan Wright <mailto:[log in to unmask]> |
> | Academic Computing Services __0__ |
> | Room 407 Lafayette Building / \ | \ |
> | University of Vermont \77 |
> | Burlington, Vermont 05405-0160 USA. \\ http://www.uvm.edu/skivt-l |
> | Voice:802-656-1254 FAX:802-???-???? vv |
> | aim:goim?screenname=maddogskideath http://www.uvm.edu/~waw/ |
/ | | | _ ._ \ /|_ o_|_ ._ _ |
/ | |\/|(/_| \/\/ | || |_ | |(/_\/ |
* | / / |
| | IT Support Specialist |
| | Department of Residential Life |
| | The University of Vermont |
| | |
| | P: 802.656.7937 |
| | E: [log in to unmask] |
| | |
| | A: Robinson Hall |
| | The University of Vermont |
| | Burlington, VT 05405 |
| | |
| / /
| / /