Server mode is a mode that httpd reads `http port'(default 80) directly.
The merit is:
If you don't execute httpd in server mode, then it is invoked by `listen'.
Httpd will be executed as user `none'.
If writing is required, the file must be allowed to be written by `none'.
If file server is shared by many persons, that may make a problem.
Let `web' be a user, net a real user but a virtual user.
If httpd can run as user `web', we can keep security even file server is shared by many persons.
If user `alice' want /usr/alice/web/doc/data to be read or written only by `alice' and httpd, then make a change /adm/users to:
alice:alice:web web::and register user `web' to your authentication server.
cpu% chmod 664 /usr/alice/web/doc/somedata cpu% ls -l --rw-rw-r-- alice web ... /usr/alice/web/doc/somedata
a-rw-rw-r-- otherwise save the file to venti for safety.
Therefore /usr/alice/web/doc/somedata will be protected if no user can become `web' except httpd.
Note that this simple method can be accepted only by Pegasus.
Because, in httpd except Pegasus, other person's CGI can write /usr/alice/web/doc/somedata.
-u that makes httpd run as user who invoked Pegasus.auth/login weband run httpd.
How to do in automatic execution?
mon is provided for this purpose.
This tool also resolves some security problem described bellow.
Pegasus httpd does not allow mount by CGI except under option -m.
However httpd running as `web' can kill httpd.
Mon is provided for this case.
Don't run mon as user `web'. Because the fact that mon is not owned by `web' protects against CGI.