Unix Webcat Permission - Suggestions

This WebDNA talk-list message is from

2000


It keeps the original formatting.
numero = 29295
interpreted = N
texte = Caveats: I do not work for SmithMicro and have picked up all of my Unix admin skills from reading man pages and O'Reilly books (the traditional method). I am running Unix Apache Module version 3.06f (since I like to perform my own installs, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. My best advice is to make _all_ files owned by nobody, and _all_ directories containing those files owned by nobody. This includes all webcatalog files/directories as well as user templates and databases. This is the normal operating methodology for Unix daemons. You also should not give any rights to any other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has no rights to directly log in. Unix security hacks that prey on the nobody user rely on tricking the O/S into upgrading nobody to root, or get some process running as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unix administrator to create a SUID script that copies the files into the correct location and sets their owner and rights to the above. If you follow the above suggestions, an ordinary user cannot even list the files in your WebCat directories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files (IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change, but until then, anyone hosting WebCat will need to change rights/owners for all files.I am thinking in the back of my head about a small WebCat application which would facilitate managing multiple users/sites. Think about an admin database with username, pathname source, and destination. One button update would copy the source files to the destination, with the correct rights. I could even see a trigger to automate it (though I do not trust outside developers enough to copy their templates onto my server without looking at them). Users would only need ordinary rights to their parallel directory structure and WebCat would only run the versions in the official directories.HTHJohn Peacock ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

    
  1. Re: Unix Webcat Permission - Suggestions (John Butler 2000)
  2. Re[2]: Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
  3. Re: Unix Webcat Permission - Suggestions (John Butler 2000)
  4. Re: Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
  5. Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
Caveats: I do not work for SmithMicro and have picked up all of my Unix admin skills from reading man pages and O'Reilly books (the traditional method). I am running Unix Apache Module version 3.06f (since I like to perform my own installs, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. My best advice is to make _all_ files owned by nobody, and _all_ directories containing those files owned by nobody. This includes all webcatalog files/directories as well as user templates and databases. This is the normal operating methodology for Unix daemons. You also should not give any rights to any other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has no rights to directly log in. Unix security hacks that prey on the nobody user rely on tricking the O/S into upgrading nobody to root, or get some process running as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unix administrator to create a SUID script that copies the files into the correct location and sets their owner and rights to the above. If you follow the above suggestions, an ordinary user cannot even list the files in your WebCat directories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files (IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change, but until then, anyone hosting WebCat will need to change rights/owners for all files.I am thinking in the back of my head about a small WebCat application which would facilitate managing multiple users/sites. Think about an admin database with username, pathname source, and destination. One button update would copy the source files to the destination, with the correct rights. I could even see a trigger to automate it (though I do not trust outside developers enough to copy their templates onto my server without looking at them). Users would only need ordinary rights to their parallel directory structure and WebCat would only run the versions in the official directories.HTHJohn Peacock ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to jpeacock@univpress.com

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

RE: Ongoing group search problems ... (1997) Re[2]: running WebCatalog under Apache on NT? (2000) Queertrons? (1997) WebCat2b13MacPlugIn - syntax to convert date (1997) [searchString] (1997) Claris HomePage messes up the code (1997) WebCat2b13MacPlugIn - [include] doesn't allow creator (1997) [thisurl] or another way (2000) Re:Searching for ALL / empty form field (1997) WebCatalog-NT?'s (1996) Press Release hit the NewsWire!!! (1997) ftp to webstar (2001) JavaScript (1998) [protect] on NT? (1997) [WebDNA] Domain names and ports per license (2012) Extended [ConvertChars] (1997) Stumpted Again (1997) More questions about serial number dishing (1997) [Sum] function? (1997) [SearchString] problem with [search] context (1997)