Date: Wed, 31 Mar 1999 08:07:27 -0500 From: Mark Conway Wirt <mark@intrepid.net> To: "W. Reilly Cooley" <wcooley@nakedape.navi.net>, Anthony Capone <capone@cap1.net> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Web Based Script Message-ID: <19990331080727.A26659@intrepid.net> In-Reply-To: <Pine.LNX.4.10.9903292024350.26067-100000@rheingold>; from W. Reilly Cooley on Mon, Mar 29, 1999 at 10:12:41PM -0800 References: <002f01be7a62$26eb6fa0$018b97d1@ciaro.cap1.net> <Pine.LNX.4.10.9903292024350.26067-100000@rheingold>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 29, 1999 at 10:12:41PM -0800, W. Reilly Cooley wrote: > I've considered a web-based interface for users to modify their > configurations (mail forwarding, etc), but giving users access using their > UNIX passwords through a web interface is a /big/ security hole. See > http://www.apache.org/docs/misc/FAQ.html#passwdauth for an explanation. > This might be reasonable, if, for example, you only permit access from > within your net block. But even then it's sketchy... Does it have to be Web based? We have a mail based one -- the user sends a message to support with the subject of HOURS, and procmail kicks of a perl script that mails them the information back. Seems to work well, and the nice thing about it is a user can only check their hours, and it needs no authentication. It checks the hours of the account that sent the mail, and sends the results back to that address, so even if someone forges the "from" header, they wont see the result.... --Mark To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990331080727.A26659>