Client authorization with python backend

Question

I'm writing panel for administrating nginx (domains, rewrites, etc), svn and other services. For that, i'm writing backend that will work on root (to change nginx configs, reload them, change user passwords, etc), and client (console client, and web app).

App works on unix sockets, and i made very simple protocol for it:

\0\0\0\0user\0key\0module\0command\0data\0

Well, this is quite simple. Client sends command and data to backend, fox ex:

\0\0\0\0morsik\0\0nginx\0add_domain\0www.domain.tld something\0

Problem is, how to authenticate that user is really morsik? For web interface i don't have to - web page have it's own authorization so i can sent some key that will work for every user that nobody will know. Problem is if somebody have access to ssh. Then he could write simple client that will spoof username and then he could change other user configuration.

So, how can i made correct authorization for users?

Answer 1

Don't reinvent the wheel. ;) I found this discussion enlightening:

• http://cyberelk.net/tim/2007/03/08/cups-unix-domain-sockets-authentication/ Explains the concept of socket auth.
• http://pythonic.pocoo.org/2007/7/7/unix-socket-credentials-with-python Helpful details.
• http://atlee.ca/software/pam/ This might work also, though less convenient.
• Create a group for app admins only, etc.