Access.pm
Access - DataBase System for Securing CGIs
use Access;
-
add($user, $dir, $tool, $action);
-
Add permission to $user to use $action of $tool on $dir
-
dump($user, $dir, $tool);
-
Dump permissions table (See dump macros)
-
remove($user, $dir, $tool, $action);
-
Remove permission to $user to use $action of $tool on $dir
-
query($user, $dir, $tool, $action);
-
Query whether $user is allowed to use $action of $tool on $dir
Note: $res will contain the result of execution: 1 for Success,.0 for failure (In case of query 1 equal to 'permission granted', 0
to 'denied')
Note: you must use Access::add() and etc in order to call the
subroutines of this package It doesn't let you import the
subroutines' names to your script namespace because of very high
risk of name collision (its add, remove, dump and query)
DB Name
-
$Access::mldb_name
= 'cpk_test';
-
Change the name of the db for e.g cpk_test
.
Add macros:
-
add($user, 'all');
-
Grant to $user permission to perform any action of any tool on every dir
-
add($user, $dir, 'all');
-
Grant to $user permission to perform any action of any tool on $dir
-
add($user, $dir, $tool, 'all');
-
Grant to $user permission to perform any action of $tool on $dir
Remove macros:.
-
remove($user, 'all');
-
Deny permission to $user to perform any action of any tool on every dir
-
remove($user, $dir, 'all');
-
Deny permission to $user to perform any action of any tool on $dir
-
remove($user, $dir, $tool, 'all');
-
Deny permission to $user to perform any action of $tool on $dir
Dump macros:.
-
dump($user);
-
Dump permission table for $user
-
dump($user, $dir);
-
Dump permission table for $user on $dir
-
dump($user, $dir, $tool);
-
Dump permission table for $user on $dir for $tool
.
This package helps webmaster to centralize cgi scripts security.
So instead of keeping separate DataBases of allowed members and
action they can perform (and dir on each it will be performed) for
each tool the only one central DB will be used. Thru the package's
API webadmin capable to add/remove/dump access rights by for
fields: user, dir, tool, action.
Once the filling of the DB is started webmaster can change the cgi
scripts' authentication mechanism to make a query to DB with these 4
parameters and get 'Access granted' or 'denied' upon the DB records.
To ease the DB management, macros have been introduced.
User can be granted to perform anything by setting add($user,'all').
To allow user to use any tool on specific directory use
add($user, $dir, 'all'). To allow user to use any action of
specific tool on specific directory do add($user, $dir, $tool, 'all').
The reverse macros are for permission removal: remove($user, 'all')
will remove any rights that has been assigned to $user. The same
logic for remove($user, $dir, 'all') and remove($user, $dir, $tool, 'all')
To printout a piece of DB use dump(). dump() will print the whole
DB, dump($user) will dump permission table for $user, dump($user, $dir)
will dump permission table for $user on $dir, dump($user, $dir, $tool)
will dump permission table for $user on $dir for $tool.
Important: You can't assign to some field 'all' value with add()
and then to try to make delete() on the same field with non all
value. The package just don't know what are the complement values
to 'all'. To make it clear check this:
<![CDATA[
add('foo', 'bar', 'noo', 'all');
delete('foo', 'bar', 'noo', 'read');
^^^^
]]>
If the package would know what are the values for group
substruction 'all'-'read' (e.g. write, execute) it was possible to
assign the complement values to 'read'...
But it will work perfectly in the other way:
<![CDATA[
add('foo', 'bar', 'noo', 'read');
delete('foo', 'bar', 'noo', 'all');
]]>
<![CDATA[
use lib "path_to_access";
use Access;
# Specify a name of the db to use. If you don't specify it it will be the one
# hardcoded in codeyou can change the default name in the code
$Access::mldb_name = 'cpk_test';
# For making sure you will not make collisions in namespace call
# with full module syntax
Access::add (qw(Stas stas_path wwwboard read));
print "Found\n" if Access::query(qw(Stas stas_path wwwsearch read));
Access::dump();
Access::remove(qw(Stas stas_path wwwsearch all));
Access::query(qw(Stas stas_path wwwsearch read));
]]>
I wrote a script so you can perform all the actions from the shell.
It's in the same directory as Access.pm
<![CDATA[
Usage: access.pl [[-option value]..]
The options are
-c [add|remove|query|dump]
-u username
-d directory
-t tool
-a action
]]>
Once we perform insert/modify we must use $tmp value because of limitation of multidimensional
array storage [MLDBM]. We use it only in delete/modify subroutines
<![CDATA[
$tmp = $wdb{$user};
$tmp->{$tool} = 1;
$wdb{$user} = $tmp;
]]>
-
1.02
-
A few bugs in dump() has been fixed 11/13/97
-
1.01
-
The first draft has been written on 11/04/97 by Stas, Bekman <sbekman@iil.intel.com>
.
Stas, Bekman <sbekman@iil.intel.com>
perl(1).