What's that?
Once you need an access control over your cgi scripts you are starting to implement different authentication schemas. If you want a password protected scripts you need to assign each user a login/passwd pair which is a hasle from the beginning. Now you have more than one cgi and you don't want user who has access to one specific tool will have an access to all of them. Moreover you might let 2 users of the same tool access different directories. So you can't use the same tool since once you give the access to the tool it will work anywhere ! Unless you do some symbolic links which is not always a good solution. So here comes the nightmare of maintaining a db of users in each directory for each tool! Is this scenario sounds familiar to you?
Here is the sollution: Maintain one central DB of users' passwords (.htpasswd for example) in one directory . And make all users authenticate (insert login/password pair) in that directory (by copying .htaccess file to each directory - you don't have to change it. Let it point to your main .htpasswd file)
Now my tool is entering into the action. Since all users are getting autenticated the environment variable REMOTE_USER is getting set so you are always know who is who. In Access DataBase you have permission tables for each of your users (actually only users you want them to have an access). The DataBase has 4 levels of security: user::dir::tool::action. So you can see as I have explained before you can restrict user to use action of tool on directory dir. To make things easier I wrote the following macros:
(actions can be 'read', 'write', 'run' or whatever you think about)
Once the filling of the DB is started webmaster can change the cgi scripts' authentication mechanism to make a query to DB with these 4 parameters and get 'Access granted' or 'denied' upon the DB records.
User can be granted to perform anything by setting add($user,'all'). To allow user to use any tool on specific directory use add($user, $dir, 'all'). To allow user to use any action of specific tool on specific directory do add($user, $dir, $tool, 'all').
The reverse macros are for permission removal: remove($user, 'all') will remove any rights that has been assigned to $user. The same logic for remove($user, $dir, 'all') and remove($user, $dir, $tool, 'all')
To printout a piece of DB use dump(). dump() will print the whole DB, dump($user) will dump permission table for $user, dump($user, $dir) will dump permission table for $user on $dir, dump($user, $dir, $tool) will dump permission table for $user on $dir for $tool.
You need Perl5, MLDBM and Data::Dumper perl modules in order to run this tool (get them from CPAN)
Important: If your DB entry per user is bigger than 1k SDBM and ODBM
will fail to store values so you need to get Berkley DB (DB_File) or GDBM
(GDBM_File) and change the line in Access.pm to call the appropriate DB
by
use MLDBM qw(GDBM_File);
or
use MLDBM qw(DB_File);
And you better get perl5.004 since I have had problems to work with big DB files while using perl5.003
Current version: 1.03
For More Description, Examples, Installation, Usage and Change Log -- Please refer to the Documentation.
Download 1.02 access.zip or access.tar.gz
Now 1.03 adds:
Additional Installation notes:
All you have to do is to locate the default variables setting in the module and change them to fit your site