I''ve been thinking about possible applications for a personal web server. What I have in mind is a server which runs as a given user and is only accessible by that user. The server could, for example, be started up when the user logs in, etc. I realize that I could control the server''s access by having the user log in, but that seems awkward. I''d rather have the server figure out that the request is coming from its "own" user. If the server is running on the same (Unixish) machine as the user, this should be possible to do, but I''m not sure how to approach it. Alternatively, there might be some Kerberos (or whatever) magic to accomplish this. Anyway, I''m hoping for comments, clues, etc. -r -- email: rdm-go8te9J4rpw@public.gmane.org; phone: +1 650-873-7841 http://www.cfcl.com - Canta Forda Computer Laboratory http://www.cfcl.com/Meta - The FreeBSD Browser, Meta Project, etc.
On 9/16/05, Rich Morin <rdm-go8te9J4rpw@public.gmane.org> wrote:> I''ve been thinking about possible applications for a personal web > server. What I have in mind is a server which runs as a given user > and is only accessible by that user. The server could, for example, > be started up when the user logs in, etc. > > I realize that I could control the server''s access by having the > user log in, but that seems awkward. I''d rather have the server > figure out that the request is coming from its "own" user. If the > server is running on the same (Unixish) machine as the user, this > should be possible to do, but I''m not sure how to approach it. > > Alternatively, there might be some Kerberos (or whatever) magic to > accomplish this. Anyway, I''m hoping for comments, clues, etc.Rich, I''ve got no real specifics for you, but some general thoughts on approach.... The script that starts the server could use native operating system functions to derive who the logged in user is (these methods will vary with every OS). Based on this acquired user information, it could look for a database configuration YAML in their home directory that connects the user to their own set of tables in your system... if separate tables for every user isn''t an option or feasible in this instance, you could perhaps have a GUID of some sort in the application data folder of the users home directory that distinguishes this user for your application. I think in essence, what you''re talking about creating is an intranet. At an old job in the bad old days of ASP3.0 and VBScript, we did much the same... each machine was pre-configured to launch the default browser on startup, with it''s home page set to our local intranet. When the intranet launched, a script grabbed user information from their local login and returned it to our system, which logged them in to the intranet under their user name. In the case of a new user that had never logged on to our system, we would populate a new user object with information obtained from Active Directory... Just some thoughts. HTH Stephen
Look into the identd service. It also works across machines (though of course is less secure in that case) On 9/16/05, Rich Morin <rdm-go8te9J4rpw@public.gmane.org> wrote:> > I''ve been thinking about possible applications for a personal web > server. What I have in mind is a server which runs as a given user > and is only accessible by that user. The server could, for example, > be started up when the user logs in, etc. > > I realize that I could control the server''s access by having the > user log in, but that seems awkward. I''d rather have the server > figure out that the request is coming from its "own" user. If the > server is running on the same (Unixish) machine as the user, this > should be possible to do, but I''m not sure how to approach it. > > Alternatively, there might be some Kerberos (or whatever) magic to > accomplish this. Anyway, I''m hoping for comments, clues, etc. > > -r > -- > email: rdm-go8te9J4rpw@public.gmane.org; phone: +1 650-873-7841 > http://www.cfcl.com - Canta Forda Computer Laboratory > http://www.cfcl.com/Meta - The FreeBSD Browser, Meta Project, etc. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
At 9:11 PM +0900 9/17/05, Patrick McCafferty wrote:>Look into the identd service. It also works across machines >(though of course is less secure in that case)Interesting, thanks. Here is a cautionary write-up that I found, wi: http://www.clock.org/~fair/opinion/identd.html -r -- email: rdm-go8te9J4rpw@public.gmane.org; phone: +1 650-873-7841 http://www.cfcl.com - Canta Forda Computer Laboratory http://www.cfcl.com/Meta - The FreeBSD Browser, Meta Project, etc.
All of those things are true, which is why I noted that running it on anything but the exact same box leaves you open for attack. If your user in question does not have root access (or does not have the ability to touch identd with his powers) then identd is reasonably secure on the same box. Once you start running it across the network, all bets are off. :) However, it is one of your best options for determining what user initiated a given connection to your web server. On 9/18/05, Rich Morin <rdm-go8te9J4rpw@public.gmane.org> wrote:> > At 9:11 PM +0900 9/17/05, Patrick McCafferty wrote: > >Look into the identd service. It also works across machines > >(though of course is less secure in that case) > > Interesting, thanks. Here is a cautionary write-up that I found, > wi: > > http://www.clock.org/~fair/opinion/identd.html > > -r > -- > email: rdm-go8te9J4rpw@public.gmane.org; phone: +1 650-873-7841 > http://www.cfcl.com - Canta Forda Computer Laboratory > http://www.cfcl.com/Meta - The FreeBSD Browser, Meta Project, etc. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
I think the easiest way would be to just bind the webserver to 127.0.0.1, so only clients on the local box can connect to it. I guess this wouldn''t work if you have multiple users logged in at the same time, though. -Lee On 9/16/05, Rich Morin <rdm-go8te9J4rpw@public.gmane.org> wrote:> I''ve been thinking about possible applications for a personal web > server. What I have in mind is a server which runs as a given user > and is only accessible by that user. The server could, for example, > be started up when the user logs in, etc. > > I realize that I could control the server''s access by having the > user log in, but that seems awkward. I''d rather have the server > figure out that the request is coming from its "own" user. If the > server is running on the same (Unixish) machine as the user, this > should be possible to do, but I''m not sure how to approach it. > > Alternatively, there might be some Kerberos (or whatever) magic to > accomplish this. Anyway, I''m hoping for comments, clues, etc. > > -r > -- > email: rdm-go8te9J4rpw@public.gmane.org; phone: +1 650-873-7841 > http://www.cfcl.com - Canta Forda Computer Laboratory > http://www.cfcl.com/Meta - The FreeBSD Browser, Meta Project, etc. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >