Re: [aclug-L] NT Security woes
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
Karl Juhnke wrote:
>
> Folks,
>
> I confess that in my case "VB programmer" is shorthand for "doesn't have
> clue". Nevertheless, even I am slowly learning enough to be frustrated by
> the limitations of Windows.
Well.. That means you are getting clues, so don't feel bad... What
Windows, the avarage default, single user based operating system has
limits?? No...
> I have just spent several days debugging a problem I have had with NT,
> IIS, and SQL server. I have folks logging on to a Web site on NT, the web
> page runs code, the code tries to access the SQL server, access is denied.
> Access to the database shouldn't be denied, because the code is running as
> if it were the user IUSR_machinename, and the user IUSR_machinename has
> appropriate privileges on SQL server.
>
> I finally was pointed to an article which explains that impersonation only
> works locally. That is to say, IIS can verify across the network that you
> are who you claim to be, and it can impersonate you in that it can verify
> permissions on local resources, but it can't impersonate you across the
> network to get remote resources.
I know this is not a linux answer... But have you considered an ODBC
interface instead?
> I have three questions, no points for guessing right on the first one:
>
> 1. Can Linux/Apache handle this security problem which stumps NT/IIS?
> i.e., can Apache authenticate a remote request, and then impersonate the
> user making the request for the purpose of getting other resources on the
> network?
I can invent ways for this to happen, but I'm not sure it's an Apache
specific thing. If you need to run a script (Say a CGI script) as a
specific user, you could make this happen fairly easy. But I would
strongly caution you to consider that there are security issues to
consider if you are going to allow this to happen over say, the
internet... I've written CGI based systems that allowed system
administration tasks to be done with a common web browser and required
users to log in (user name/password). We had various levels of access
allowed, from simple monitoring to full "bring it up and shut it down"
access... So, Yes it can be done and CGI is only one way.
> 2. How long has Linux/Apache been able to do this?
How long has CGI been in use? Don't know....
> 3. What are the job prospects for a wayward developer who deep in his
> heart wants to reform himself?
Reform? Programming is Programming, it does not matter what language it
is in or what platform it runs on... Of course, some platforms seem to
be better than others for specific applications...I'd hate to have a
Cray inside my dish washer.... (Or the MicroProcesser in my dish washer
in place of a cray) but things are not that differant for the
programmer. It's a shame that many folks that hire programmers haven't
figured this out. A good programmer is not defined by how many
languages he can claim to know, but by how well he can translate steps
in a process into such a language... (I don't care that you know C++, if
you cannot program a simple sort using it..)
Now, programmers use a mixture of art and engineering, and the practice
of programming ranges from complex abstractions, to brute force
solutions... The only programmer that needs to reform is the one who
beleives his is the only possible approach that could work.. So because
you obviously don't cling to Visual Basic as the only possible way, you
need no reform. Enlightenment, perhaps, but no reform.
-= bob =-
---
This is the Air Capitol Linux Users Group discussion list. If you
want to unsubscribe, send the word "unsubscribe" to
aclug-L-request@xxxxxxxxxxxx. If you want to post to the list, send your
message to aclug-L@xxxxxxxxxxxx.
|
|