File: acc-ch2.htm

package info (click to toggle)
aolserver 3.4.2-1
links: PTS
area: main
in suites: woody
size: 22,692 kB
ctags: 33,612
sloc: ansic: 171,340; tcl: 10,218; sh: 3,821; cpp: 2,779; makefile: 2,041; yacc: 1,648; perl: 456; php: 13
file content (280 lines) | stat: -rw-r--r-- 13,889 bytes
parent folder | download | duplicates (2)
<HTML><HEAD>
<TITLE>Server  Administration -- Access Control</TITLE>
<LINK rel=Previous href="acc-ch1.htm">
<LINK rel=ToC href="toc.htm">
<LINK rel=Index href="master.htm">
<LINK rel=Next href="cgi-ch.htm">
</HEAD><BODY BGCOLOR="#ffffff"><A NAME="topofpage"></A>
<TABLE WIDTH=100%>
  <TR>
    <TD ALIGN=LEFT>
      <A NAME="topofpage"></A> <IMG SRC="as-c-sm.gif">
    </TD>
    <TD ALIGN=RIGHT>
      <A href="acc-ch1.htm"><IMG  BORDER="0" src=navbprev.gif alt="[ Previous ]"></A>
      <A href=toc.htm> <IMG  BORDER="0" src=navbhome.gif alt="[ Contents ]"></A>
      <A href=master.htm> <IMG  BORDER="0" src=navbhelp.gif alt="[ Index ]"></A>
      <A href="cgi-ch.htm"> <IMG  BORDER="0" src=navbnext.gif alt="[ Next ]"></A>
      <A name="7983"> </A>
    </TD>
  </TR>
</TABLE>

<a name="28336">
</a><h3>Access Control</h3>
<p><a name="12607">
</a>AOLserver allows you to define users and groups of users, and assign permission records to individual pages or entire page hierarchies. AOLserver users are distinct from operating system users.  A permission record lets you allow or disallow lists of users, lists of groups, and lists of hosts for a method and URL combination.</p>
<p><a name="2702">
</a>AOLserver requires one special user, <code>nsadmin</code>. This user is always allowed access to any URL on an AOLserver. The <code>nsadmin</code> user is similar to the Unix <code>root</code> user. </p>
<p><a name="2704">
</a>AOLserver is configured by default with the <code>nsadmin</code> user, a <code>system</code> group, a <code>public</code> group, and a <code>users</code> group.</p>
<p><a name="14117">
</a>You can change the permissions given to the <code>system</code>, <code>public</code>, and <code>users</code> groups and assign users to them by following the procedures described in this chapter.</p>
<a name="19958">
</a><h4>Users and Groups</h4>
<p><a name="6373">
</a>AOLserver users are identified by short user names.  These user names can be any name you choose; they are completely independent of the Unix  login accounts. New users can be assigned subdirectories of the AOLserver pages directory where they can store content.</p>
<a name="23477">
</a><h4>Defining Users</h4>
<p><a name="25726">
</a>To define AOLserver users, you need to create entries for them in the <code>passwd</code> file, which resides in the <code>/modules/nsperm</code> directory. The default <code>passwd</code> file contains:</p>
<pre>    <a name="26367"></a>""::::::
    <a name="26368"></a>nsadmin:CUdnvgBYocLSI:::::
    <a name="26369"></a>nobody::::::
</pre><p><p><a name="26371">
</a>The format is the same as the format for the /etc/passwd file. AOLserver ignores all but the first two fields, which are the user name and the encrypted password. The password itself is encrypted the same way as Unix passwords. </p>
<p><a name="26511">
</a>The "" user is the unauthenticated user and is treated the same as any other user.</p>
<a name="25755">
</a><h4>Defining Groups</h4>
<p><a name="26583">
</a>To define AOLserver groups, you need to create entries for them in the <code>group</code> file, which resides in the <code>/modules/nsperm</code> directory. The default <code>group</code> file contains:</p>
<pre>    <a name="26605"></a>system:::nsadmin
    <a name="26606"></a>users:::nsadmin,nobody
    <a name="26607"></a>all:::nsadmin,nobody,""
    <a name="26672"></a>public:::""
</pre><p><p><a name="26673">
</a>The format is the same as the format for the <code>/etc/group</code> file. AOLserver ignores all but the first and last fields, which are the name of the group and a comma-separated list of users in the group. </p>
<p><a name="26691">
</a>The default group file, shown above, creates groups called system, users, all, and public, with the listed users in each.</p>
<a name="25760">
</a><h4>Tcl Commands for Users and Groups</h4>
<p><a name="24259">
</a>The following Tcl commands, described in detail in the <i>AOLserver Tcl Developer's Guide</i>, allow you to work with users and groups.  You can execute these commands while using the control port interface or in a Tcl script.<Table Border = "3">
<tr><th><p><a name="23498">
</a><b>Tcl Function</b></p>
<th><p><a name="23533">
</a><b>Description</b></p>
<th><p><a name="23500">
</a><b>Where Documented</b></p>

<tr><td><p><a name="23502">
</a><b>ns_perm adduser</b></p>
<td><p><a name="23535">
</a>Create a new user and optionally restrict the user's access to specified addresses</p>
<td><p><a name="23504">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="23506">
</a><b>ns_perm addgroup</b></p>
<td><p><a name="23537">
</a>Create a new group of users</p>
<td><p><a name="23603">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="27557">
</a><b>ns_perm setpass</b></p>
<td><p><a name="27559">
</a>Update user's password</p>
<td><p><a name="27697">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="27551">
</a><b>ns_perm checkpass</b></p>
<td><p><a name="27553">
</a>Authenticate a user's password</p>
<td><p><a name="27720">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="27545">
</a><b>ns_permpasswd</b></p>
<td><p><a name="27547">
</a>Update user's password for running server and on disk</p>
<td><p><a name="27748">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c95.htm#296291">page 152</a></p>


</Table></p>
<a name="2882">
</a><h4>Permissions</h4>
<p><a name="6451">
</a>Permission records indicate the allowed access for a particular URL and method (GET,  and PUT). GET access to an URL allows the user to display the page, or submit information in a form. PUT access allows the user to write to the page or delete the page.</p>
<p><a name="24507">
</a>Once you have defined authorized AOLserver users and groups, you can maintain AOLserver permission records. Normally, only <code>nsadmin</code> and users in the <code>system</code> group can set permission records directly.</p>
<a name="9180">
</a><h4>Permissions Inheritance</h4>
<p><a name="11987">
</a>To simplify the permission structure and reduce the number of permission records you need to maintain, you can specify that a permission record is inherited by more specific URLs. For example, a permission record for <code>/a/b</code> would be inherited by <code>/a/b/c.htm</code> if there is no specific permission record for <code>/a/b/c.htm</code>.</p>
<a name="26723">
</a><h4>Setting Permissions for Users and Groups</h4>
<p><a name="26774">
</a>To define AOLserver permissions for users and groups, you need to create permission entries for them in the <code>perms</code> file, which resides in the <code>/modules/nsperm</code> directory. The default <code>perms</code> file does not contain any permission entries, but it contains the following comments, which explain how to add entries to the file:</p>
<pre>    <a name="26791"></a># This is the AOLserver perms file which defines which users
    <a name="26792"></a># and groups may or may not visit certain URLs.
    <a name="26793"></a>#
    <a name="26794"></a># The format is:
    <a name="26795"></a># ACTION  INHERITANCE  METHOD  URL  ENTITY
    <a name="26796"></a>#
    <a name="26797"></a># ACTION can be: denygroup, allowgroup, denyuser, or allowuser
    <a name="26798"></a># INHERITANCE can be: inherit or noinherit
    <a name="26799"></a># METHOD can be: PUT, GET, POST, or any other supported method.
    <a name="26800"></a># URL is the path relative to pageroot, e.g., /index.html or 
    <a name="27507"></a># /images
    <a name="27497"></a># ENTITY is either the name of a user or group, as specified in 
    <a name="26802"></a># the passwd and group files.
    <a name="26803"></a>#
    <a name="26804"></a># Example:
    <a name="26805"></a># denyuser  inherit GET /NS ""
    <a name="26806"></a># allowuser inherit GET /NS nsadmin
</pre><p><a name="26732">
</a><h4>Allowing Hosts</h4>
<p><a name="26840">
</a>You can specifically allow hosts to log in as certain users. The <code>hosts.allow</code> file, which resides in the <code>/modules/nsperm </code>directory, allows you to specify which hosts may log in as certain users. The default <code>hosts.allow</code> file contains:</p>
<pre>    <a name="26868"></a>#
    <a name="26869"></a># This is the AOLserver hosts.alow file. It allows you to specify 
    <a name="26870"></a># which hosts may log in as certain users. If you have an entry 
    <a name="26871"></a># in this file for a given user, you may not have an entry in 
    <a name="26872"></a># hosts.deny for that same user.
    <a name="26873"></a>#
    <a name="26874"></a># Example:
    <a name="26875"></a>#
    <a name="26876"></a># nsadmin: 10.0.0.0/255.0.0.0, .internal.mycompany.com, 
home.me.com
    <a name="26877"></a>#
</pre><p><p><a name="26969">
</a>The format for entries in the file is:</p>
<pre>    <a name="26970"></a>username: host, host, host ...
</pre><p><p><a name="26972">
</a>where <code>username</code> is a user defined in the <code>passwd</code> file and host can be specified in either of these forms:</p>
<ul><li>ipaddress/netmask<a name="27005">
</a>
<p><dl>
<dt>For example, a host specified as <code>10.0.0.0/255.0.0.0</code> matches any IP address that begins with 10.<a name="27006">
</a>
<p></dl>
<li>a fully-qualified host name<a name="27007">
</a>
<p><dl>
<dt>For example, <code>foo.bar.com</code>.<a name="27008">
</a>
<p></dl>
<li>part of a host name<a name="26978">
</a>
<p><dl>
<dt>For example, <code>.bar.com</code>, which would match anything ending in .bar.com.<a name="26979">
</a>
<p></dl>
</ul><p><a name="27025">
</a>Any user in this file must be coming from one of the listed addresses to gain access.</p>
<a name="27034">
</a><h4>Denying Hosts</h4>
<p><a name="27039">
</a>You can specifically deny hosts from logging in as certain users. The <code>hosts.deny</code> file, which resides in the <code>/modules/nsperm </code>directory, allows you to specify which hosts cannot log in as certain users. The default <code>hosts.deny</code> file contains:</p>
<pre>    <a name="27055"></a>#
    <a name="27056"></a># This is the AOLserver hosts.deny file. It allows you to specify 
    <a name="27057"></a># which hosts may not log in as certain users. If you have an 
    <a name="27058"></a># entry in this file for a given user, you may not have an entry 
    <a name="27059"></a># in hosts.allow for that same user.
    <a name="27060"></a>#
    <a name="27061"></a># Example:
    <a name="27062"></a>#
    <a name="27063"></a># nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/255.255.255.0
    <a name="27064"></a>#
</pre><p><p><a name="27093">
</a>The format for entries in the file is:</p>
<pre>    <a name="27094"></a>username: host, host, host ...
</pre><p><p><a name="27095">
</a>where <code>username</code> is a user defined in the <code>passwd</code> file and host can be specified in either of these forms:</p>
<ul><li>ipaddress/netmask<a name="27096">
</a>
<p><dl>
<dt>For example, a host specified as <code>10.0.0.0/255.0.0.0</code> matches any IP address that begins with 10.<a name="27097">
</a>
<p></dl>
<li>a fully-qualified host name<a name="27098">
</a>
<p><dl>
<dt>For example, <code>foo.bar.com</code>.<a name="27099">
</a>
<p></dl>
<li>part of a host name<a name="27100">
</a>
<p><dl>
<dt>For example, <code>.bar.com</code>, which would match anything ending in .bar.com.<a name="27101">
</a>
<p></dl>
</ul><a name="8936">
</a><h4>Tcl Commands for Setting Permissions</h4>
<p><a name="24222">
</a>The following Tcl commands, described in detail in the <i>AOLserver Tcl Developer's Guide</i>, allow you to set permissions.  You can execute these commands while using the control port interface or in a Tcl script.<Table Border = "3">
<tr><th><p><a name="24226">
</a><b>Tcl Function</b></p>
<th><p><a name="24228">
</a><b>Description</b></p>
<th><p><a name="24230">
</a><b>Where Documented</b></p>

<tr><td><p><a name="24232">
</a><b>ns_perm allowuser</b></p>
<td><p><a name="24234">
</a>Allow a user access to a specified method/URL combination, with or without inheritance.</p>
<td><p><a name="24236">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="24238">
</a><b>ns_perm denyuser</b></p>
<td><p><a name="24240">
</a>Deny a user access to a specified method/URL combination, with or without inheritance.</p>
<td><p><a name="24242">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="24292">
</a><b>ns_perm allowgroup</b></p>
<td><p><a name="24294">
</a>Allow a group of users access to a specified method/URL combination, with or without inheritance.</p>
<td><p><a name="24296">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>

<tr><td><p><a name="24286">
</a><b>ns_perm denygroup</b></p>
<td><p><a name="24288">
</a>Deny a group of users access to a specified method/URL combination, with or without inheritance.</p>
<td><p><a name="24290">
</a><i>Tcl Developer's Guide:</i> <a href="tapi-c94.htm#79412">page 150</a></p>


</Table></p>
<p><a name="8975">
</a></p>


<TABLE BORDER="2" CELLPADDING="1" width="100%">
<TR><TD COLSPAN=3><P ALIGN=Center>
<IMG SRC="bluebult.gif">
<A HREF="#topofpage">
<FONT SIZE=-1>Top of Page</FONT></A>
<IMG SRC="bluebult.gif">
</TD></TR>
<TR><TD COLSPAN=3><P ALIGN=Center>
<A href="acc-ch1.htm">
<IMG  BORDER="0" src=navbprev.gif alt="[ Previous ]"></A>
<A href=toc.htm>
<IMG  BORDER="0" src=navbhome.gif alt="[ Contents ]"></A>
<A href=master.htm>
<IMG  BORDER="0" src=navbhelp.gif alt="[ Index ]"></A>
<A href="cgi-ch.htm">
<IMG  BORDER="0" src=navbnext.gif alt="[ Next ]"></A>
<BR align=center>
<FONT size=-1>Copyright &copy; 1998-99 America Online,
Inc.</FONT>
</TD></TR></TABLE></BODY></HTML>