Home | Hardware | Internet News |Web Hosting |IT Management |Network Storage
LinuxPlanet
Search 
  Power Search | Tips 

 Front Door
 Discussion
 LinuxEngine
 Opinions
 Reports
 Reviews
 Tutorials
 News
 Technology Jobs

 Browse by subject.
Free Newsletter

Linux Planet
 Linux Today
More Free Newsletters

Be a Commerce Partner



internet.com
IT
Developer
Internet News
Small Business
Personal Technology
International

Search internet.com
Advertise
Corporate Info
Newsletters
Tech Jobs
E-mail Offers
Print this article
Email this article
   LinuxPlanet / Tutorials


Security and Apache: An Essential Primer
Mandatory Versus Discretionary Access Control

Ken Coar
Monday, February 21, 2000 10:50:08 PM

There are two basic types of access control: those that verify who you say you are, and those that verify who you really are. The three basic verification methods are to check

  1. what you have,
  2. what you know, or
  3. what you are

or even some combination of these. In common noncomputer usage, an example of the "what you have" method would be having the key to a padlock; you can get in if you do. "What you know" is the method used to keep other people out of your account; if they don't know your password, tough luck for them. And "what you are" is coming into prominent play in criminal investigations, as DNA patterns are admitted as evidence.

The best security systems use a combination. Your bank's teller machines, for instance, use a combination of the first two methods: you need to have the ATM card, and know the PIN associated with the card (or the account).

But what's all this noise about discretionary and mandatory, you ask? Put simply, discretionary control (DAC) mechanisms check the validity of the credentials given them at the discretion of the user, and mandatory access controls (MAC) validate aspects that the user cannot control. For instance, anyone can give you a username and password and you can then log in with them; which username and password you supply is at your discretion, and the system can't tell you apart from the real owner. Your DNA is something you can't change, though, and a control system that only allowed access to your pattern would never work for anyone else--and you couldn't pretend to be someone else, either. This makes such a system a mandatory (also called non-discretionary) access control system.

In Web terms, and Apache terms in particular, discretionary controls are based on usernames and passwords, and mandatory controls are based on things like the IP address of the requesting client.

Another way to keep discretionary versus non-discretionary controls straight is to think about the way failures are handled: if you fail a discretionary check (such as if you misspell your password), you get another chance--but if a mandatory check fails, you get a "forbidden" error rather than "not authorized," and there's no way to say "give me another chance" without starting from scratch and requesting the page again as though for the first time. And unless something's changed on the server, even retrying isn't going to make a difference; you'll still be locked out.

Authentication versus Authorization
Authentication is the process of verifying that credentials are correct--that is, that the username is in the database and the password is correct for the username. Authorization is the process of checking to see if a validated client is permitted to access a particular resource. For instance, Bob may have correctly supplied his username and password, but still not be able to access Jane's file because she hasn't included him in the authorization list for it.

In Apache, almost all of the security-related modules actually do both. The main feature that distinguishes them from each other is their authentication aspect; mostly, they let you store the valid credential information in one or another format. The mod_auth module, for instance, looks in normal text files for the username and password info, and mod_auth_dbm looks in a DBM database for it. They handle the authorization side of their task in essentially identical ways, however.

The security modules are passed the information about what authentication databases to use via directives, such as AuthUserFile or AuthDBMGroupFile. The resource being protected is determined from the placement of the directives in the configuration files; in this example: 

    <Directory /home/johnson/public_html>
        <Files foo.bar>
            AuthName "Foo for Thought"
            AuthType Basic
            AuthUserFile /home/johnson/foo.htpasswd
            Require valid-user
        </Files>
    </Directory>

the resource being protected is "any file named foo.bar" in the /home/johnson/public_html directory or anywhere underneath it. Likewise, the identification of which credentials are authorized to access foo.bar is stated by the directives--in this case, any user with valid credentials in the /home/johnson/foo.htpasswd file can access it.

Next: Realms: Areas of Controlled Access »

Skip Ahead

1 Maxwell's Demon and Hat Colour
2 Mandatory Versus Discretionary Access Control
3 Realms: Areas of Controlled Access
4 Apache Security Processing Phases
5 Restricting by IP Address
6 Labelling and Inheritance
7 The Standard Apache Security Modules
8 Which Database is Authoritative?
9 Conclusions/For More Information





Linux is a trademark of Linus Torvalds.


internet.com home | search | help! | about us

Jupiter Online Media

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Web Hosting | Newsletters | Tech Jobs | Shopping | E-mail Offers