web
"
2006/08/26 Update
2002/02/24
H1: -e Server Mode
2006/08/26 Update
web
"-u
" that makes httpd run as user who invoked Pegasus.
How to do in automatic execution?
mon
is provided for this purpose.
This tool also resolves some security problem described below.
httpd
in server mode, then it is invoked by "listen
". Httpd will be executed as user "none
". If writing is required, the file must be allowed to be written by "none
". If file server is shared by many persons, that will make a problem.
Let "web
" be a user, not a real user but a virtual user. If "httpd
" can run as user "web
", we can keep security even the server is shared by many persons. If user alice
want "/usr/alice/web/doc/data
" to be read or written only by alice
and httpd
, then we have several ways to do so.
Read "webm" for this topics.
httpd
and replace it by another one.none
" cannot kill other "none
"'s process in Plan9 4ed.
However CGI scripts running as user "web
" can kill the parent httpd.
Mon is provided for this case. Don't run mon as user "web
". Because the fact that mon is not owned by "web
" protects against the attack.
Pegasus httpd
does not allow mount by CGI script except under option -m
.