Next Step To Do
目次- 0.1.0 Supporting Digest Authentication
- 0.2.0 Configuring authentication
- 0.3.0 Installing CGI tools
- 0.4.0 Directories under
$web
- 0.5.0 Configuring CGI hander
- 0.6.0 CGI and security
2006/08/22
This page gives some more informations for those basic installation have finished.
You need not read this page if you don't have files to be authenticated,
and if you need not to have virtual documents.
Supporting Digest Authentication
Directory "/usr/web/etc/nonce
" is used for digest authentication. The directory is a database of issued challenges and received responses that prevents replay attack. The data will be accumulated in the directory. Therefore old data must be removed from the database.
A tool called "crob" is provided for this purpose. The usage example is
crob -1d /usr/web/etc/noncewhich removes old data that elapsed a single day from "
/usr/web/etc/nonce
".
You will find "crob" at http://plan9.aichi-u.ac.jp/netlib/cmd/.
Then, how to execute "crob" automatically every daty? This is a job suitable for "cron". If you have "/cron/web/cron
" on your server "venus" with the content:
0 3 * * * venus /usr/local/bin/386/crob -1d /usr/web/etc/noncethen "crob" will be executed every day at 3:00 am, where I assumed "crob" is installed in "
/usr/local/bin/386/
".
Note that the owner of "/cron/web/
" must be "web", otherwise the jobs will not be executed. Plan 9 command "cron" has a option "-c" to create user's "cron" under "/cron
". Then, how to become user "web"? I have a tool named "su" that works like UNIX "su".
Using "su", you, host owner of the server, can become "web":
cpu% su web su# auth/cron -c su# echo '0 3 * * * venus /usr/local/bin/386/crob -1d /usr/web/etc/nonce' >/cron/web/cron su#
Configuring authentication
Please look "$web/etc/passwod
" for this topic.
Installing CGI tools
Place CGI tools to "/usr/web/bin/386
" and "/usr/web/bin/rc
". Other directories under "/usr/web/
" should be empty (except "/usr/web/etc/nonce/
").
Pegasus package contains some CGI tools. Letting "$pegasus" be the installed directory, "$pegasus/cgitools/
" is the place. Some of them are:
- formparse
- qsparse
- webm
- hfmt
- peep
- dx
- text2html
- rit
- ptt
- mkh
Directories under $web
Httpd root is denoted by "$web
" in the following explanation. "$web
" for user alice
is (if not specified in "/sys/lib/httpd.rewrite
"):/usr/alice/webOn the other hand, "
$web
" for real host and virtual hosts are defined in "/sys/lib/httpd.rewrite
". For example "$web
" for real host will be "/usr/bob/www
" if we define/ */usr/bob/wwwin "
/sys/lib/httpd.rewrite
".
Each "$web
" has directories:
doc etc bin/386 bin/rcwhere
- "
doc
" is a directory to place web document. Home page will bedoc/index.html
- "
etc
" is a directory to place access control files such as passwd, allow, handler, rewrite and namespace_80
- "
bin/386
" and "bin/rc
" are directories to place executable files for CGI. Pegasus will bind them to "/bin
" in append mode.
Configuring CGI hander
A file "$web/etc/handler
" defines the relation between requested path and the script invoked by the request. The handler is managed by the person who owns web document.
The role of this file is to pass the request from client to the specified program.
Typical contents of handler is:
# suffix mimetype hctl execpath arg ... /netlib/*/index.html text/html 0 /bin/ftp2html *.http - 1 $target *.cgi - + $target *.html text/html 0 $target *.tt text/html 0 /bin/peep $targetThis is what I am using. The first line is a comment. The first field is path pattern of requested path. The "
$target
" that may appear after fourth field is the path name. A line that contains "*.html
" defines files so called CGI. This line says that if a file with extension ".html
" and with executable bit for httpd is requested then execute the file. The output format is text/html and ramfs is provided. This means the file extension of CGI is determined not by Pegasus but by user.Table of "
$web/etc/handler
" determines action against requested path. Requested file need not be present. See "execution handler" for more more information.
CGI and security
Pegasus allows all users to have CGI environment if host administrator configure "/lib/namespace.httpd
" for CGI. Pegasus thinks that CGI should not be served only to administrator.Pegasus is designed in considering that it should be attack proof against malicious system user. However Pegasus has not been examined in the system with malicious users.