Logo address

Webm

目次

2006/08/26

Location

	/usr/web/bin/rc/webm

Description

webm is a script that enables Pegasus to work:

Implementation

In $web/etc/handler

# path	                mimetype      hctl      execpath arg ...
/private/*/index.html	text/html	0	/bin/webm $target
where /private is a directory that allows webm to be used.

Of course the directory should be protected from the unauthorized accesses by both HTTP client and system users.

Protection from HTTP client is easy. Password file "$web/etc/passwd" will resolve the problem.

Protection against system user is somewhat difficult.

Protecting against system users

There are several ways to protect your private data against system users.
The followings are some of them, where your account name is expressed by "alice".

Changing group of "private" to web

If alice can set the access mode to be
	d-rwxrwx--- alice web ..... private
then "private" is protected against system users. We have two disadvantages:
1. alice might not be allowed to execute "chgrp web private".
2. alice might not be able to access the files under "private", because these files are created by httpd and their access mode will be as follows:
	--rwxrwx--- web web ..... private/foo
Then alice can access these file only via httpd.

Changing owner of "private" to "web"

If alice can set the access mode to be
	d-rwxrwx--- web alice ..... private
then "private" is protected against system users. We have a disadvantage:
alice might not be allowed to execute "chgrp -u web private".

Making a new group alice1

Assume alice has a group "alice1" in "/adm/users":
	alice1:alice1:alice:web
Then giving access mode below to "private" will resolve the problem.
	d-rwxrwx--- alice alice1 ..... private
The deficiency is in that alice must ask her system administrator to create a group "alice1", but this is only once. Someone might feel this solution is ugly because new group name is introduced only for "web".

Closing entrance

It might be a a good idea to close "httpd root" so that any user except alice and "web" cannot enter the root.
	d-rwxrwx--- alice web ..... /usr/alice/web
Then
	chmod 777 private
is enough.
The deficiency is in that alice must ask her system administrator to change group of "/usr/alice/web".