michel m wrote:
Hi,
in my last mail, I had asked how to get context for incoming requests.
meanwhile studying replies, I got familiar with apache/selinux plus
which labels threads based on identity of user. but I can not understand
how users are authenticated from http requests. who does this
authentication ( is it a service special to apache/httpd that analyzes
http requests) ? I think, an http request in normal form does not
contain any information by which remote user can be authenticated.
may some one explain me more or redirect me to some resources that
clarify things more?
You need to distinguish a web-user from a OS-user.
When you have a shopping at amazon.com, you were supposed to provide
your account information (e.g e-mail address and password), but it
does not mean that a new user account is available on the operating
system of amazon.com, because all the http requests are handled by
httpd server process from the viewpoint of operating system.
A web-user is a concept in web or application layer, not OS.
Its account information is implicitly sent for each http request basically,
then the http server parses it and applies its authentication.
(if failed, http server returns an error prior to page references.)
Apache/SELinux Plus is a module to assign a certain security context
based on the authorized web-user, not OS-user.
However, here is no fundamental differences between httpd and sshd.
When we connect a host using ssh, we have to provide my account information
(e.g username/password or public key), then ssh authorizes the connection
using the given account info, and assigns a certain security context on the
user login shell.
Thanks,
--
KaiGai Kohei <kaigai@xxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
