All of the web-based access control mechanisms
(by hostname/domain,
with a password, and
via network ID)
work fine for limiting access via the web. However, you must take
extra precautions if you want to prevent access directly via the
filesystem (ie. using /l/www/some/path or /l/cgi/some/path) by people with
local CS accounts.
In order for the web server to be able to access and serve web pages,
these files must be readable by the www user or wwwd group (or the
cgi user or cgid group if you are using the cgi server). The typical
way to allow such privileges is to make your web pages world-readable
(ie. readable by anyone with a local CS account).
Since most web pages may be accessible with no restrictions via the web
server, having these files readable by all local users is frequently
not a problem.
However, if you want to limit access via the web and also prevent local
users from reading the files you must take extra steps.
One easy way to protect the files is to put them in a directory that
is only readable by you and the web or cgi server. This can be done
by setting the appropriate group and group permissions on the directory.
The only problem with this is that you are not a member of the group
under which the web and cgi servers run and unix will not let you
change the group of a file or directory to a group of which you are
not a member. To get around this problem, we have created two setgid
frontend scripts to the chgrp command that let you do this:
chgrp_www - Change a named file or directory to group wwwd
chgrp_cgi - Change a named file or directory to group cgid
This is probably best explained with a couple examples. The first example
will show how to secure files on the CS web server and the second on
the CS cgi server.
Example 1: CS Web Server
Let's say that want to secure all the files on your CS homepage
from access via the filesystem. You can do this as follows:
% chmod 750 ~/.hyplan
% chgrp_www ~/.hyplan
Once this is done, you can create the appropriate .htaccess files
within that directory to limit access via the web server.
Example 2: CS CGI Server
Let's say that want to prevent access via the filesystem to all the
cgi or php files
in your /l/cgi directory. You can do this with:
% chmod 750 /l/cgi/username/cgi-pub
% chgrp_cgi /l/cgi/username/cgi-pub
Once this is done, you can control access via the web using
.htaccess files within your /l/cgi/username/cgi-pub
directory.
In both examples, the files you create within these directories
will still need to be readable by the web or cgi servers. However,
since the containing directories are not world-readable, you can
safely make the files/directories within these directories world
readable.
If you are confused by unix file permissions in general, please see the
Unix File Permissions Help Page.
