Protected CERN Server Setup
Protected CERN Server Setup
htadm
program which is a part ot CERN httpd distribution.
Unix password files are understood
by CERN daemon (but not vice versa). However, Unix users are
in no way connected to the WWW access authorization.
groupname: item, item, item
The list of items is called a group definition.
Each item can be a username, an already-defined
groupname, or a comma-separated list of user and group names in
parentheses. Any of these can be followed by an at sign @
followed by either a single IP address template, or a comma-separated
list of IP address templates in parentheses. The following are valid
group declarations:
authors: john, james
trusted: authors, jim
cern_people: @128.141.*.*
hackers: marca@141.142.*.*, sanders@153.39.*.*,
(luotonen, timbl, hallam)@128.141.*.*,
cailliau@(128.141.201.162, 128.141.248.119)
cern_hackers: hackers@128.141.*.*
If an item contains only IP address template part all users from those
addresses are accepted (e.g. cern_people above). Note the
last two declarations: cern_hackers group is made up of
the hackers group by restricting it further according to
IP address.
Group definition can be continued to next line after any comma in the
definition. Forward references in group file are illegal (i.e. to use
group name before it is defined).Group definition syntax is valid not only in group file, but also in
GetMask in protection setup file, and
protect rule
in rule file, and specify authorized persons and IP addresses in the
protection setup file or access control list file:
Protect /very/secret/* /WWW/httpd.setup
If there are Unix file system protections set up so that there is no
world read-permission the daemon naturally has to run as the owner or
the group member of those files.
However, if there are protected trees owned by different people this
doesn't work. In that case the daemon has to run as
root, and the user and group ids have to be specified in
the protect rule, e.g.:
Protect /kevin/secret/* /WWW/httpd.setup1 kevin.www
Protect /marcus/secret/* /WWW/httpd.setup2 marcus.nogroup
protect rule has an associated protection setup
file. It specifies valid authentication schemes, password and group
files, and password server-id:
AuthType Basic, KerberosV4
ServerId OurCollaboration
PasswordFile /WWW/Admin/passwd
GroupFile /WWW/Admin/group
Password server id needs not be a real machine name. It's only purpose
is to inform the browser about which password file it is using
(different protection setups on the same machine can use different
password file and that would otherwise confuse pseudo-intelligent
clients trying to figure out which password to send).
Same server-ids on different machines are considered
different by clients (otherwise this would be a security hole).
KerberosV4 authentication is here only as an example;
it has not been implemented as part of the library.
GetMask in setup file (and you
don't need any ACL files):
GetMask group, user, group@address, ...
Group definition has the same syntax as in group file.
In this case you don't need the GetMask in setup
file.
GetMask and an ACL, in
which case both conditions must be met. This is typically used so
that GetMask defines a general group of people allowed
to access the tree, and ACLs restrict access even further.
.www_acl in the same directory
as the files the access of which it is controlling. It looks typically
something like this:
secret*.html : GET,POST : trusted_people
minutes*.html: GET,POST : secretaries
*.html : GET : willy,kenny
It is worth noticing that all the templates are matched agaist (unlike
in rule file where translation of rules stops in pass and
fail.. So in the previous example all the HTML files are
accessible to willy and kenny, even those
matching the two previous templates.The last field is just a list of users and group (possibly at required IP addresses), and in fact this field is in same syntax as group file.
When PUT method will be implemented it can appear in the
middle field separated by a comma from get:
*.html : GET,PUT : authors