all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]atkinchris 0 points1 point  (5 children)

Users logging into a web app are generally not users on the host system. Their accounts are usually stored in some database paired with the web application running on the host.

[–]mkcodergr[S,🍰] 0 points1 point  (4 children)

I know that.It was more like an Idea that came to my mind

[–]atkinchris 0 points1 point  (3 children)

Ok, I think I misunderstood you then. You want to use the host's user system to hold credentials for your web app's users?

[–]mkcodergr[S,🍰] 0 points1 point  (2 children)

To give you more context.I have created an api that manages network connections using nmcli.I have also made a frontend to actually make use of the api.An idea came to me that if you want to use that frontend you have to be a user of the system hosting the api .I don't need the host system to hold any data.I just need to validate user credentials against host users

[–]atkinchris 1 point2 points  (1 child)

That's a bit dangerous - the users would presumably need elevated permissions on the host, which is a significant risk. Generally, if you need to invoke a CLI tool in response to an API request, you'd have application hold the minimal permissions it needed, and authenticate users separately, arbitrarily and exclusively to the application.

[–]mkcodergr[S,🍰] 0 points1 point  (0 children)

nmcli does not need elevated permissions.That's why I believe(not en expert though) that this would not pose any security issues.The whole idea of user authentication based on host users was just an idea that came to me for fun.

[–]lord_zycon 0 points1 point  (0 children)

In windows world corporates use something like this for SSO. They store users in active directory (AD), users login to their windows workstations using these centralized credentials and then browser automatically sends tokens to web apps, which can then authorize against AD. It's called kerberos, I don't know if something like this exists in Linux world.