Alternate login system

I am working on a photo archive system for my school newspaper. I would
like to offer users the ability to upload files via SCP, but I don't
want people to have full shell access, nor access to the files of other
users.

Ideally, user "bud" would login using his normal account info and be
chroot jailed into his own personal upload directory. He would then
"claim" any photos with a web interface, importing them into the system.

I could normally accomplish this with SSH + the chroot patch, but that
requires that each user have his/her own account on the Linux box. Is it
possible to have Linux use MySQL or a PHP/Perl script as a driver for
the login system, requesting login credentials from that script rather
than the usual /etc/passwd method?

Otherwise, is there a better way to accomplish what I've described?

--
eth'nT

Ethan Trewhitt <gtg782a@mail.gatech.edu> wrote:[color=blue]
> I am working on a photo archive system for my school newspaper [...][/color]
[color=blue]
> Ideally, user "bud" would login using his normal account info and be
> chroot jailed into his own personal upload directory. He would then
> "claim" any photos with a web interface, importing them into the system.[/color]

Why not allow users to upload the photos using this same web interface?
Your users are not going to uploading more than one or two photos in a
session, are they?

Chris

Chris Davies wrote:[color=blue]
> Why not allow users to upload the photos using this same web interface?
> Your users are not going to uploading more than one or two photos in a
> session, are they?[/color]

Users will be uploading 10's of MB of photos, at full resolution. HTTP
upload is currently offered, but even on slower broadband connections
this is pretty slow. HTTP offers very little status about the progress
of an upload and doesn't support resuming.

--
eth'nT
[url]http://www.hydrous.net[/url]
aim: courtarro

Could you offload the authentication to an LDAP server? That way you
could still use the chroot patch without having to manage a separate
authentication mechanism. PAM must be used for this to work though
(pam_ldap extension).

OT: Please get Reggie Ball some glasses so he will stop throwing
interceptions. :)

Ethan Trewhitt wrote:[color=blue]
> I am working on a photo archive system for my school newspaper. I would
> like to offer users the ability to upload files via SCP, but I don't
> want people to have full shell access, nor access to the files of other
> users.
>
> Ideally, user "bud" would login using his normal account info and be
> chroot jailed into his own personal upload directory. He would then
> "claim" any photos with a web interface, importing them into the system.
>
> I could normally accomplish this with SSH + the chroot patch, but that
> requires that each user have his/her own account on the Linux box. Is it
> possible to have Linux use MySQL or a PHP/Perl script as a driver for
> the login system, requesting login credentials from that script rather
> than the usual /etc/passwd method?
>
> Otherwise, is there a better way to accomplish what I've described?
>[/color]

--
irish

irish wrote:[color=blue]
> PAM must be used for this to work though
> (pam_ldap extension).[/color]

Correction: (pam_ldap library).

I also found this link which may be of help:
[url]http://www.saas.nsw.edu.au/solutions/ldap-auth-pam.html[/url]

--
irish

Ethan Trewhitt wrote:[color=blue]
> I am working on a photo archive system for my school newspaper. I would
> like to offer users the ability to upload files via SCP, but I don't
> want people to have full shell access, nor access to the files of other
> users.[/color]

On the creative side, you can use AppArmor to create a shell with
limited priveledges. Just an option, especially if you use SUSE.
[color=blue]
>
> Ideally, user "bud" would login using his normal account info and be
> chroot jailed into his own personal upload directory. He would then
> "claim" any photos with a web interface, importing them into the system.
>
> I could normally accomplish this with SSH + the chroot patch, but that
> requires that each user have his/her own account on the Linux box. Is it
> possible to have Linux use MySQL or a PHP/Perl script as a driver for
> the login system, requesting login credentials from that script rather
> than the usual /etc/passwd method?[/color]

My soln above assumes the user's have accounts. Certainly you can
use PAM to authenticate against whatever you want. Another option for
you to look at.
[color=blue]
>
> Otherwise, is there a better way to accomplish what I've described?
>[/color]

Having accounts makes some things easier.... but the PAM idea is
one way to keep from having to have "normal" user accounts for
a particular service. Restricting the user somehow after that
might require a jail or AppArmor though.

Chris Cox wrote:[color=blue]
> Having accounts makes some things easier.... but the PAM idea is
> one way to keep from having to have "normal" user accounts for
> a particular service. Restricting the user somehow after that
> might require a jail or AppArmor though.[/color]

"irish" mentioned the pam_ldap library, and now that I think about it, I
suppose PAM is the best way to go about this. I have some homework to do
before I understand fully how PAM works, but it sounds like a step in
the right direction. Is it possible to create a custom PAM library
without too much work?

It might just be easier to write a set of scripts to sync the *nix user
database with the one stored in MySQL. :)

--
eth'nT
[url]http://www.hydrous.net[/url]
aim: courtarro

irish wrote:[color=blue]
> Could you offload the authentication to an LDAP server? That way you
> could still use the chroot patch without having to manage a separate
> authentication mechanism. PAM must be used for this to work though
> (pam_ldap extension).[/color]

PAM sounds like a step in the right direction - see my response to Chris
Cox.
[color=blue]
> OT: Please get Reggie Ball some glasses so he will stop throwing
> interceptions. :)[/color]

Haha, I wish I could. He's been the subject of a lot of hate on campus
this week, so some of us are trying to get a bit more support for him
going into the ACC tourney. He did, after all, get us this far. UGA has
a bad habit of trouncing us in a variety of sports even when we're the
statistical favorite.

--
eth'nT

Ethan Trewhitt wrote:[color=blue]
> I am working on a photo archive system for my school newspaper. I would
> like to offer users the ability to upload files via SCP, but I don't
> want people to have full shell access, nor access to the files of other
> users.
>[/color]
did you know rbash ( Restricted Shell )

Ethan Trewhitt wrote:[color=blue]
> Chris Cox wrote:[color=green]
>>Having accounts makes some things easier.... but the PAM idea is
>>one way to keep from having to have "normal" user accounts for
>>a particular service. Restricting the user somehow after that
>>might require a jail or AppArmor though.[/color]
>
> "irish" mentioned the pam_ldap library, and now that I think about it, I
> suppose PAM is the best way to go about this. I have some homework to do
> before I understand fully how PAM works, but it sounds like a step in
> the right direction. Is it possible to create a custom PAM library
> without too much work?
>
> It might just be easier to write a set of scripts to sync the *nix user
> database with the one stored in MySQL. :)
>[/color]

It's not hard to create your own.. you might want to look at the ones
out there already.. you may be able to use it without mods... or at
least use it as a baseline for your own custom mods.