Unix Webcat Permission - Suggestions
This WebDNA talk-list message is from 2000
It keeps the original formatting.
numero = 29295
interpreted = N
texte = Caveats: I do not work for SmithMicro and have picked up all of my Unix adminskills from reading man pages and O'Reilly books (the traditional method). I amrunning Unix Apache Module version 3.06f (since I like to perform my owninstalls, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. Mybest advice is to make _all_ files owned by nobody, and _all_ directoriescontaining those files owned by nobody. This includes all webcatalogfiles/directories as well as user templates and databases. This is the normaloperating methodology for Unix daemons. You also should not give any rights toany other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has norights to directly log in. Unix security hacks that prey on the nobody userrely on tricking the O/S into upgrading nobody to root, or get some processrunning as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unixadministrator to create a SUID script that copies the files into the correctlocation and sets their owner and rights to the above. If you follow the abovesuggestions, an ordinary user cannot even list the files in your WebCatdirectories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files(IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change,but until then, anyone hosting WebCat will need to change rights/owners for allfiles.I am thinking in the back of my head about a small WebCat application whichwould facilitate managing multiple users/sites. Think about an admin databasewith username, pathname source, and destination. One button update would copythe source files to the destination, with the correct rights. I could even seea trigger to automate it (though I do not trust outside developers enough tocopy their templates onto my server without looking at them). Users would onlyneed ordinary rights to their parallel directory structure and WebCat would onlyrun the versions in the official directories.HTHJohn Peacock-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list
.To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
Associated Messages, from the most recent to the oldest:
Caveats: I do not work for SmithMicro and have picked up all of my Unix adminskills from reading man pages and O'Reilly books (the traditional method). I amrunning Unix Apache Module version 3.06f (since I like to perform my owninstalls, thanks). I tested this all with a clean install.Several users have asked for advice on permission settings and security. Mybest advice is to make _all_ files owned by nobody, and _all_ directoriescontaining those files owned by nobody. This includes all webcatalogfiles/directories as well as user templates and databases. This is the normaloperating methodology for Unix daemons. You also should not give any rights toany other user. In other words: chown -R nobody:nobody * #recursively set owner chmod -R go= * #set user/group rights to noneThis is not a security concern once you realize that the nobody user has norights to directly log in. Unix security hacks that prey on the nobody userrely on tricking the O/S into upgrading nobody to root, or get some processrunning as root to run bad code.If you need to be FTP'ing files up to the server, work with your Unixadministrator to create a SUID script that copies the files into the correctlocation and sets their owner and rights to the above. If you follow the abovesuggestions, an ordinary user cannot even list the files in your WebCatdirectories, let alone read them. The WebCat process will serve them up fine. Ordinary users should never have direct access to WebCatalog served files(IMHO). Once a fully multiuser WebCat daemon comes out (4.2?) that will change,but until then, anyone hosting WebCat will need to change rights/owners for allfiles.I am thinking in the back of my head about a small WebCat application whichwould facilitate managing multiple users/sites. Think about an admin databasewith username, pathname source, and destination. One button update would copythe source files to the destination, with the correct rights. I could even seea trigger to automate it (though I do not trust outside developers enough tocopy their templates onto my server without looking at them). Users would onlyneed ordinary rights to their parallel directory structure and WebCat would onlyrun the versions in the official directories.HTHJohn Peacock-------------------------------------------------------------This message is sent to you because you are subscribed to the mailing list .To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to
jpeacock@univpress.com
DOWNLOAD WEBDNA NOW!
Top Articles:
Talk List
The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...
Related Readings:
Keep away (1997)
E-Mail Preferences in Admin Folder (1997)
Not reading code (1997)
search double negative comparison (2001)
New command suggestion (was Modifying databasesmanually) (1997)
2.0 Info (1997)
[format xs] freeze (1997)
My server admin needs help ... (2004)
Re:2nd WebCatalog2 Feature Request (1996)
Where's Cart Created ? (1997)
Web Merchant process after credit card clears (1998)
WebCatalog2 Feature Feedback (1996)
AppleScript: Tell application:app location? (1998)
listcookies sort order? (2005)
WebCat2: Formulas.db question (1997)
Listserver problem (1997)
SMSI (Scott) clues?? Bug fixes for next WebDNA release (2005)
I'm new be kind (1997)
$Append for Users outside the ADMIN group (1997)
Google does it... can WebDNA? Showing only the section (2003)