Server Mode
目次- 0.1.0 introduction
- 0.2.0 How to run httpd as user "
web
" - 0.3.0 Servicing CGI
- 0.4.0 If you have private files
- 0.5.0 Security
2006/08/26 Update
2002/02/24
H1: -e Server Mode
2006/08/26 Update
introduction
Server mode is a mode that httpd reads http port(default 80) directly. The merit is:- suppress loading time because httpd is on memory.
- make the service by httpd more secure in reading/writing files.
How to run httpd as user "web
"
Pegasus has an option "-u
" that makes httpd run as user who invoked Pegasus.
How to do in automatic execution?
mon
is provided for this purpose.
This tool also resolves some security problem described below.
Servicing CGI
Look "Constructing CGI environment".
If you have private files
If you don't executehttpd
in server mode, then it is invoked by "listen
". Httpd will be executed as user "none
". If writing is required, the file must be allowed to be written by "none
". If file server is shared by many persons, that will make a problem.
Let "web
" be a user, not a real user but a virtual user. If "httpd
" can run as user "web
", we can keep security even the server is shared by many persons. If user alice
want "/usr/alice/web/doc/data
" to be read or written only by alice
and httpd
, then we have several ways to do so.
Read "webm" for this topics.
Security
Let's assume we have a malicious user who runs CGI program on our server.He might kill
httpd
and replace it by another one.none
" cannot kill other "none
"'s process in Plan9 4ed.
However CGI scripts running as user "web
" can kill the parent httpd.
Mon is provided for this case. Don't run mon as user "web
". Because the fact that mon is not owned by "web
" protects against the attack.
Pegasus httpd
does not allow mount by CGI script except under option -m
.