Arch Linux

action_owl

Member

From: WWW, The Internet 127.0.0.1

Registered: 2009-08-15

Posts: 73

Applying Linux Group Ideology to Web Applications

I have built a database driven web application that has a user and group system that works in a similiar way that Linux handles user access.

Breif explanation:

A user can access various resources, the resources are assigned to a single group and users can have many groups.

Users

id   name  
--   -------  
1    RedRanger 
2    GreenRanger
3    BlueRanger

Group Assignment

user group
---- -----
1    33
1    44
1    55
2    33
2    44
3    33
3    44
3    55
3    66

Group description

gid name  
--- ----  
33  user  
44  things  
55  stuff  
66  foo  

Resource

name group
---- -----
a    33
b    33
c    33
x    44  
y    55
z    66

RedRanger can access a, b, c, x and y but not z
GreenRanger can only access a, b, c and x
BlueRanger can access a, b, c, x, y and z

Lets say that RedRanger needs to be denied access to resource a

if I remove him from group 33 he can no longer access b or c which is no good.

The only alternative is to change a's group and add everyone else to the new group, this isn't so bad for 3 users, but what about 3,000?

If this situation occurs often there will soon be a mess of groups.

What is the best approach to this problem?

Thanks!

Ichimonji10

Member

Registered: 2010-11-07

Posts: 32

Website

Re: Applying Linux Group Ideology to Web Applications

OK, I'll admit that I know next to nothing about databases. Really -- I've never make or administered one in my life, either for fun or in school. But in response to your question: make a mess of groups. Why make resource a, b, and c all available to group 33?

Instead of this:

name group
---- -----
a    33
b    33
c    33
x    44  
y    55
z    66

Have this:

name group
---- -----
a    11
b    22
c    33
x    44  
y    55
z    66

Here's my reasoning: if your permissions/group setup does not reflect the fact that you have three different types of system resources, then why have three different sets of resources at all? In other words, if groups govern access to all system/database resources, then groups _are_ system resources. Groups should closely mirror the existence of those resources.

As an example, think about how linux allows access to to system resources. Instead of creating a single "system resources" group, there's a group for access to audio devices, a group for video (access to hardware acceleration), one for samba shares, one for ssh, one for ssh-certs, one for mail, and so on. Yes, that's a mess of groups, but that's the price you pay for fine-grained control over what users do.