1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310
|
<html>
<head>
<title>AOLserver</title>
</head>
<body>
<h1>AOLserver Permissions and Access Control Guide</h1>
<p>
<small>
$Header: /cvsroot/aolserver/aolserver.com/docs/admin/nsperm.html,v 1.1 2002/03/07 19:15:34 kriston Exp $
</small>
<p>
<p>
Access Control
<p>
AOLserver allows you to define users and groups of users, and assign
permission records to individual pages or entire page hierarchies.
AOLserver users are distinct from operating system users. A permission
record lets you allow or disallow lists of users, lists of groups, and
lists of hosts for a method and URL combination.
<p>
AOLserver requires one special user, nsadmin. This user is always
allowed access to any URL on an AOLserver. The nsadmin user is similar
to the Unix root user.
<p>
AOLserver is configured by default with the nsadmin user, a system
group, a public group, and a users group.
<p>
You can change the permissions given to the system, public, and users
groups and assign users to them by following the procedures described
in this chapter.
<p>
Users and Groups
<p>
AOLserver users are identified by short user names. These user names
can be any name you choose; they are completely independent of the
Unix login accounts. New users can be assigned subdirectories of the
AOLserver pages directory where they can store content.
<p>
Defining Users
<p>
To define AOLserver users, you need to create entries for them in the
passwd file, which resides in the /modules/nsperm directory. The
default passwd file contains:
<p>
""::::::
<br>
nsadmin:CUdnvgBYocLSI:::::
<br>
nobody::::::
<p>
The format is the same as the format for the /etc/passwd file.
AOLserver ignores all but the first two fields, which are the user
name and the encrypted password. The password itself is encrypted the
same way as Unix passwords.
<p>
The "" user is the unauthenticated user and is treated the same as any
other user.
<p>
Defining Groups
<p>
To define AOLserver groups, you need to create entries for them in the
group file, which resides in the /modules/nsperm directory. The
default group file contains:
<p>
system:::nsadmin
<br>
users:::nsadmin,nobody
<br>
all:::nsadmin,nobody,""
<br>
public:::""
<br>
<p>
The format is the same as the format for the /etc/group file.
AOLserver ignores all but the first and last fields, which are the
name of the group and a comma-separated list of users in the group.
<p>
The default group file, shown above, creates groups called system,
users, all, and public, with the listed users in each.
<p>
Permissions
<p>
Permission records indicate the allowed access for a particular URL
and method (GET, and PUT). GET access to an URL allows the user to
display the page, or submit information in a form. PUT access allows
the user to write to the page or delete the page.
<p>
Once you have defined authorized AOLserver users and groups, you can
maintain AOLserver permission records. Normally, only nsadmin and
users in the system group can set permission records directly.
<p>
Permissions Inheritance
<p>
To simplify the permission structure and reduce the number of
permission records you need to maintain, you can specify that a
permission record is inherited by more specific URLs. For example, a
permission record for /a/b would be inherited by /a/b/c.htm if there
is no specific permission record for /a/b/c.htm.
<p>
Setting Permissions for Users and Groups
<p>
To define AOLserver permissions for users and groups, you need to
create permission entries for them in the perms file, which resides in
the /modules/nsperm directory. The default perms file does not contain
any permission entries, but it contains the following comments, which
explain how to add entries to the file:
<pre>
# This is the AOLserver perms file which defines which users
# and groups may or may not visit certain URLs.
#
# The format is:
# ACTION INHERITANCE METHOD URL ENTITY
#
# ACTION can be: denygroup, allowgroup, denyuser, or allowuser
# INHERITANCE can be: inherit or noinherit
# METHOD can be: PUT, GET, POST, or any other supported method.
# URL is the path relative to pageroot, e.g., /index.html or
# /images
# ENTITY is either the name of a user or group, as specified in
# the passwd and group files.
#
# Example:
# denyuser inherit GET /NS ""
# allowuser inherit GET /NS nsadmin
</pre>
<p>
Allowing Hosts
<p>
You can specifically allow hosts to log in as certain users. The
hosts.allow file, which resides in the /modules/nsperm directory,
allows you to specify which hosts may log in as certain users. The
default hosts.allow file contains:
<pre>
#
# This is the AOLserver hosts.alow file. It allows you to specify
# which hosts may log in as certain users. If you have an entry
# in this file for a given user, you may not have an entry in
# hosts.deny for that same user.
#
# Example:
#
# nsadmin: 10.0.0.0/255.0.0.0, .internal.mycompany.com, home.me.com
#
</prE>
<p>
The format for entries in the file is:
<br>
username: host, host, host ...
<p>
where username is a user defined in the passwd file and host can be
specified in either of these forms:
<p>
* ipaddress/netmask
<p>
For example, a host specified as 10.0.0.0/255.0.0.0 matches any
IP address that begins with 10.
<p>
* a fully-qualified host name
<p>
For example, foo.bar.com.
<p>
* part of a host name
<p>
For example, .bar.com, which would match anything ending in
.bar.com.
<p>
Any user in this file must be coming from one of the listed addresses
to gain access.
<p>
Denying Hosts
<p>
You can specifically deny hosts from logging in as certain users. The
hosts.deny file, which resides in the /modules/nsperm directory,
allows you to specify which hosts cannot log in as certain users. The
default hosts.deny file contains:
<pre>
#
# This is the AOLserver hosts.deny file. It allows you to specify
# which hosts may not log in as certain users. If you have an
# entry in this file for a given user, you may not have an entry
# in hosts.allow for that same user.
#
# Example:
#
# nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/255.255.255.0
#
</pre>
<p>
The format for entries in the file is:
<p>
username: host, host, host ...
<p>
where username is a user defined in the passwd file and host can be
specified in either of these forms:
<p>
* ipaddress/netmask
<p>
For example, a host specified as 10.0.0.0/255.0.0.0 matches any
IP address that begins with 10.
<p>
* a fully-qualified host name
<p>
For example, foo.bar.com.
<p>
* part of a host name
<p>
For example, .bar.com, which would match anything ending in
.bar.com.
<p>
</body>
</html>
|