Unix Webcat Permission - Suggestions
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 29295
interpreted = N
texte = Caveats: I do not work for SmithMicro and have picked up all of my Unix adminskills from reading man pages and O'Reilly books (the traditional method). I amrunning Unix Apache Module version 3.06f (since I like to perform my owninstalls, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. Mybest advice is to make _all_ files owned by nobody, and _all_ directoriescontaining those files owned by nobody. This includes all webcatalogfiles/directories as well as user templates and databases. This is the normaloperating methodology for Unix daemons. You also should not give any rights toany other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has norights to directly log in. Unix security hacks that prey on the nobody userrely on tricking the O/S into upgrading nobody to root, or get some processrunning as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unixadministrator to create a SUID script that copies the files into the correctlocation and sets their owner and rights to the above. If you follow the abovesuggestions, an ordinary user cannot even list the files in your WebCatdirectories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files(IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change,but until then, anyone hosting WebCat will need to change rights/owners for allfiles.I am thinking in the back of my head about a small WebCat application whichwould facilitate managing multiple users/sites. Think about an admin databasewith username, pathname source, and destination. One button update would copythe source files to the destination, with the correct rights. I could even seea trigger to automate it (though I do not trust outside developers enough tocopy their templates onto my server without looking at them). Users would onlyneed ordinary rights to their parallel directory structure and WebCat would onlyrun the versions in the official directories.HTHJohn Peacock-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
Caveats: I do not work for SmithMicro and have picked up all of my Unix adminskills from reading man pages and O'Reilly books (the traditional method). I amrunning Unix Apache Module version 3.06f (since I like to perform my owninstalls, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. Mybest advice is to make _all_ files owned by nobody, and _all_ directoriescontaining those files owned by nobody. This includes all webcatalogfiles/directories as well as user templates and databases. This is the normaloperating methodology for Unix daemons. You also should not give any rights toany other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has norights to directly log in. Unix security hacks that prey on the nobody userrely on tricking the O/S into upgrading nobody to root, or get some processrunning as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unixadministrator to create a SUID script that copies the files into the correctlocation and sets their owner and rights to the above. If you follow the abovesuggestions, an ordinary user cannot even list the files in your WebCatdirectories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files(IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change,but until then, anyone hosting WebCat will need to change rights/owners for allfiles.I am thinking in the back of my head about a small WebCat application whichwould facilitate managing multiple users/sites. Think about an admin databasewith username, pathname source, and destination. One button update would copythe source files to the destination, with the correct rights. I could even seea trigger to automate it (though I do not trust outside developers enough tocopy their templates onto my server without looking at them). Users would onlyneed ordinary rights to their parallel directory structure and WebCat would onlyrun the versions in the official directories.HTHJohn Peacock-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
jpeacock@univpress.com
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Error:Too many nested [xxx] contexts (1997)
Getting Started (2003)
Summary search -- speed (1997)
bannerads example idiot (1997)
taxRate is fine but taxTotal isn't (1997)
Unable to view next 101-200 (1997)
Just Testing (1997)
Anybody see this before? (2006)
Running _every_ page through WebCat ? (1997)
WC2b15 File Corruption (1997)
Problems passing [SKU] with $Replace in 2.0 (1997)
search results through frames (2000)
Tab Charactor (1997)
PC site chck pls (2003)
WebCatalog for Postcards ? (1997)
Search wbrk (repost) (2001)
[WebDNA] Issue with including functions (2011)
Which GUI HTML editors work with WC ? (1997)
Templates for Customer Database? (1997)
Here's how to kill a Butler Database. (1997)