H:Server Mode 2002/02/24 Logo address

Server Mode

目次

Server mode is a mode that httpd reads `http port'(default 80) directly.
The merit is:

  1. suppress loading time because httpd is on memory.
  2. make httpd more secure in writing file.
The first merit is general in all servers.
The second is special to Pegasus.

If you don't execute httpd in server mode, then it is invoked by `listen'.
Httpd will be executed as user `none'.
If writing is required, the file must be allowed to be written by `none'.
If file server is shared by many persons, that may make a problem.

Let `web' be a user, net a real user but a virtual user.
If httpd can run as user `web', we can keep security even file server is shared by many persons.

If user `alice' want /usr/alice/web/doc/data to be read or written only by `alice' and httpd, then make a change /adm/users to:

	alice:alice:web
	web::
and register user `web' to your authentication server.
User `alice' permit `web' to write to files that are necessary to be written by httpd. Say,
	cpu% chmod 664 /usr/alice/web/doc/somedata
	cpu% ls -l
	--rw-rw-r-- alice web ... /usr/alice/web/doc/somedata
use a-rw-rw-r-- otherwise save the file to venti for safety.

Therefore /usr/alice/web/doc/somedata will be protected if no user can become `web' except httpd.

Note that this simple method can be accepted only by Pegasus.
Because, in httpd except Pegasus, other person's CGI can write /usr/alice/web/doc/somedata.

How to run httpd as user `web'

Pegasus has an option -u that makes httpd run as user who invoked Pegasus.
How to do to become user `none'?
In non-automatic execution, you can be `web' by:
	auth/login web
and run httpd.

How to do in automatic execution?
mon is provided for this purpose.
This tool also resolves some security problem described bellow.

Security

Let's assume we have a malicious user who runs CGI program on our server.
He might kill httpd and replace it by another one.
CGI program running as `none' cannot kill other `none's process in Plan9 4ed.

Pegasus httpd does not allow mount by CGI except under option -m.
However httpd running as `web' can kill httpd.
Mon is provided for this case.
Don't run mon as user `web'. Because the fact that mon is not owned by `web' protects against CGI.