Unix Webcat Permission - Suggestions

This WebDNA talk-list message is from

2000

It keeps the original formatting. numero = 29295
interpreted = N
texte = Caveats: I do not work for SmithMicro and have picked up all of my Unix adminskills from reading man pages and O'Reilly books (the traditional method). I amrunning Unix Apache Module version 3.06f (since I like to perform my owninstalls, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. Mybest advice is to make _all_ files owned by nobody, and _all_ directoriescontaining those files owned by nobody. This includes all webcatalogfiles/directories as well as user templates and databases. This is the normaloperating methodology for Unix daemons. You also should not give any rights toany other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has norights to directly log in. Unix security hacks that prey on the nobody userrely on tricking the O/S into upgrading nobody to root, or get some processrunning as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unixadministrator to create a SUID script that copies the files into the correctlocation and sets their owner and rights to the above. If you follow the abovesuggestions, an ordinary user cannot even list the files in your WebCatdirectories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files(IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change,but until then, anyone hosting WebCat will need to change rights/owners for allfiles.I am thinking in the back of my head about a small WebCat application whichwould facilitate managing multiple users/sites. Think about an admin databasewith username, pathname source, and destination. One button update would copythe source files to the destination, with the correct rights. I could even seea trigger to automate it (though I do not trust outside developers enough tocopy their templates onto my server without looking at them). Users would onlyneed ordinary rights to their parallel directory structure and WebCat would onlyrun the versions in the official directories.HTHJohn Peacock-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Associated Messages, from the most recent to the oldest:

Re: Unix Webcat Permission - Suggestions (John Butler 2000)
Re[2]: Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
Re: Unix Webcat Permission - Suggestions (John Butler 2000)
Re: Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)
Unix Webcat Permission - Suggestions (jpeacock@univpress.com 2000)

Caveats: I do not work for SmithMicro and have picked up all of my Unix adminskills from reading man pages and O'Reilly books (the traditional method). I amrunning Unix Apache Module version 3.06f (since I like to perform my owninstalls, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. Mybest advice is to make _all_ files owned by nobody, and _all_ directoriescontaining those files owned by nobody. This includes all webcatalogfiles/directories as well as user templates and databases. This is the normaloperating methodology for Unix daemons. You also should not give any rights toany other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has norights to directly log in. Unix security hacks that prey on the nobody userrely on tricking the O/S into upgrading nobody to root, or get some processrunning as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unixadministrator to create a SUID script that copies the files into the correctlocation and sets their owner and rights to the above. If you follow the abovesuggestions, an ordinary user cannot even list the files in your WebCatdirectories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files(IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change,but until then, anyone hosting WebCat will need to change rights/owners for allfiles.I am thinking in the back of my head about a small WebCat application whichwould facilitate managing multiple users/sites. Think about an admin databasewith username, pathname source, and destination. One button update would copythe source files to the destination, with the correct rights. I could even seea trigger to automate it (though I do not trust outside developers enough tocopy their templates onto my server without looking at them). Users would onlyneed ordinary rights to their parallel directory structure and WebCat would onlyrun the versions in the official directories.HTHJohn Peacock-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to jpeacock@univpress.com

DOWNLOAD WEBDNA NOW!

Unix Webcat Permission - Suggestions

2000

Top Articles:

Related Readings: