Webm
目次- 0.1.0 Location
- 0.2.0 Description
- 0.3.0 Implementation
- 0.4.0 Protecting against system users
- 0.4.1 Changing group of "
private
" to web - 0.4.2 Changing owner of "
private
" to "web" - 0.4.3 Making a new group alice1
- 0.4.4 Closing entrance
2006/08/26
Location
/usr/web/bin/rc/webm
Description
webm
is a script that enables Pegasus to work:- make a file or a direcory
- delete files and/or directory
- edit a file
- send a file
- get a file
Implementation
In $web/etc/handler
# path mimetype hctl execpath arg ... /private/*/index.html text/html 0 /bin/webm $targetwhere
/private
is a directory that allows webm
to be used.
Of course the directory should be protected from the unauthorized accesses by both HTTP client and system users.
Protection from HTTP client is easy. Password file "$web/etc/passwd
" will resolve the problem.
Protection against system user is somewhat difficult.
Protecting against system users
There are several ways to protect your private data against system users.The followings are some of them, where your account name is expressed by "alice".
Changing group of "private
" to web
If alice can set the access mode to bed-rwxrwx--- alice web ..... privatethen "
private
" is protected against system users. We have two disadvantages:1. alice might not be allowed to execute "
chgrp web private
".2. alice might not be able to access the files under "
private
", because these files are created by httpd and their access mode will be as follows:--rwxrwx--- web web ..... private/fooThen alice can access these file only via httpd.
Changing owner of "private
" to "web"
If alice can set the access mode to bed-rwxrwx--- web alice ..... privatethen "
private
" is protected against system users. We have a disadvantage:alice might not be allowed to execute "
chgrp -u web private
".Making a new group alice1
Assume alice has a group "alice1" in "/adm/users
":alice1:alice1:alice:webThen giving access mode below to "
private
" will resolve the problem.d-rwxrwx--- alice alice1 ..... privateThe deficiency is in that alice must ask her system administrator to create a group "alice1", but this is only once. Someone might feel this solution is ugly because new group name is introduced only for "web".
Closing entrance
It might be a a good idea to close "httpd root" so that any user except alice and "web" cannot enter the root.d-rwxrwx--- alice web ..... /usr/alice/webThen
chmod 777 privateis enough.
The deficiency is in that alice must ask her system administrator to change group of "
/usr/alice/web
".