1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
|
<html>
<head>
<title>AOLserver</title>
</head>
<body>
<h1>AOLserver Permissions and Access Control Guide</h1>
<p>
<small>
$Header: /cvsroot/aolserver/aolserver.com/docs/admin/nsperm.html,v 1.1 2002/03/07 19:15:34 kriston Exp $
</small>
<p>
<p>
Access Control
<p>
AOLserver allows you to define users and groups of users, and assign
permission records to individual pages or entire page hierarchies.
AOLserver users are distinct from operating system users. A permission
record lets you allow or disallow lists of users, lists of groups, and
lists of hosts for a method and URL combination.
<p>
AOLserver requires one special user, nsadmin. This user is always
allowed access to any URL on an AOLserver. The nsadmin user is similar
to the Unix root user.
<p>
AOLserver is configured by default with the nsadmin user, a system
group, a public group, and a users group.
<p>
You can change the permissions given to the system, public, and users
groups and assign users to them by following the procedures described
in this chapter.
<p>
Users and Groups
<p>
AOLserver users are identified by short user names. These user names
can be any name you choose; they are completely independent of the
Unix login accounts. New users can be assigned subdirectories of the
AOLserver pages directory where they can store content.
<p>
Defining Users
<p>
To define AOLserver users, you need to create entries for them in the
passwd file, which resides in the /modules/nsperm directory. The
default passwd file contains:
<p>
""::::::
<br>
nsadmin:CUdnvgBYocLSI:::::
<br>
nobody::::::
<p>
The format is the same as the format for the /etc/passwd file.
AOLserver ignores all but the first two fields, which are the user
name and the encrypted password. The password itself is encrypted the
same way as Unix passwords.
<p>
The "" user is the unauthenticated user and is treated the same as any
other user.
<p>
Defining Groups
<p>
To define AOLserver groups, you need to create entries for them in the
group file, which resides in the /modules/nsperm directory. The
default group file contains:
<p>
system:::nsadmin
<br>
users:::nsadmin,nobody
<br>
all:::nsadmin,nobody,""
<br>
public:::""
<br>
<p>
The format is the same as the format for the /etc/group file.
AOLserver ignores all but the first and last fields, which are the
name of the group and a comma-separated list of users in the group.
<p>
The default group file, shown above, creates groups called system,
users, all, and public, with the listed users in each.
<p>
Permissions
<p>
Permission records indicate the allowed access for a particular URL
and method (GET, and PUT). GET access to an URL allows the user to
display the page, or submit information in a form. PUT access allows
the user to write to the page or delete the page.
<p>
Once you have defined authorized AOLserver users and groups, you can
maintain AOLserver permission records. Normally, only nsadmin and
users in the system group can set permission records directly.
<p>
Permissions Inheritance
<p>
To simplify the permission structure and reduce the number of
permission records you need to maintain, you can specify that a
permission record is inherited by more specific URLs. For example, a
permission record for /a/b would be inherited by /a/b/c.htm if there
is no specific permission record for /a/b/c.htm.
<p>
Setting Permissions for Users and Groups
<p>
To define AOLserver permissions for users and groups, you need to
create permission entries for them in the perms file, which resides in
the /modules/nsperm directory. The default perms file does not contain
any permission entries, but it contains the following comments, which
explain how to add entries to the file:
<pre>
# This is the AOLserver perms file which defines which users
# and groups may or may not visit certain URLs.
#
# The format is:
# ACTION INHERITANCE METHOD URL ENTITY
#
# ACTION can be: denygroup, allowgroup, denyuser, or allowuser
# INHERITANCE can be: inherit or noinherit
# METHOD can be: PUT, GET, POST, or any other supported method.
# URL is the path relative to pageroot, e.g., /index.html or
# /images
# ENTITY is either the name of a user or group, as specified in
# the passwd and group files.
#
# Example:
# denyuser inherit GET /NS ""
# allowuser inherit GET /NS nsadmin
</pre>
<p>
Allowing Hosts
<p>
You can specifically allow hosts to log in as certain users. The
hosts.allow file, which resides in the /modules/nsperm directory,
allows you to specify which hosts may log in as certain users. The
default hosts.allow file contains:
<pre>
#
# This is the AOLserver hosts.alow file. It allows you to specify
# which hosts may log in as certain users. If you have an entry
# in this file for a given user, you may not have an entry in
# hosts.deny for that same user.
#
# Example:
#
# nsadmin: 10.0.0.0/255.0.0.0, .internal.mycompany.com, home.me.com
#
</prE>
<p>
The format for entries in the file is:
<br>
username: host, host, host ...
<p>
where username is a user defined in the passwd file and host can be
specified in either of these forms:
<p>
* ipaddress/netmask
<p>
For example, a host specified as 10.0.0.0/255.0.0.0 matches any
IP address that begins with 10.
<p>
* a fully-qualified host name
<p>
For example, foo.bar.com.
<p>
* part of a host name
<p>
For example, .bar.com, which would match anything ending in
.bar.com.
<p>
Any user in this file must be coming from one of the listed addresses
to gain access.
<p>
Denying Hosts
<p>
You can specifically deny hosts from logging in as certain users. The
hosts.deny file, which resides in the /modules/nsperm directory,
allows you to specify which hosts cannot log in as certain users. The
default hosts.deny file contains:
<pre>
#
# This is the AOLserver hosts.deny file. It allows you to specify
# which hosts may not log in as certain users. If you have an
# entry in this file for a given user, you may not have an entry
# in hosts.allow for that same user.
#
# Example:
#
# nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/255.255.255.0
#
</pre>
<p>
The format for entries in the file is:
<p>
username: host, host, host ...
<p>
where username is a user defined in the passwd file and host can be
specified in either of these forms:
<p>
* ipaddress/netmask
<p>
For example, a host specified as 10.0.0.0/255.0.0.0 matches any
IP address that begins with 10.
<p>
* a fully-qualified host name
<p>
For example, foo.bar.com.
<p>
* part of a host name
<p>
For example, .bar.com, which would match anything ending in
.bar.com.
<p>
</body>
</html>
|
