Re: tlug: .www_acl

["Stephen J. Turnbull" <turnbull@example.com>]

--------------------------------------------------------
tlug note from "Stephen J. Turnbull" <turnbull@example.com>
--------------------------------------------------------
>>>>> "Hua" == Yong-Ming Hua <yhua@example.com> writes:

    Hua>      I tried to set some access control to my WWW server.  I
    Hua> am using CERN Server. I read through the manual the w3c.org

I haven't heard of anyone using CERN, so even though I don't either, I 
take a hack at some answers.

    Hua> provided. But the manual doesn't tell us the most important
    Hua> thing; where to put passwordfile of the next line.

    Hua>        htadm -adduser <passwordfile> <username> <passwd>
    Hua> <realname>

(1) The server needs to know about it.  So there must be a place in
    the configuration file for the server to name the password file.
    In NCSA-derived systems this would probably be
    $server_root/conf/httpd.conf.  I don't know about CERN.

(2) Evidently you can put it whereever you like.  It should not be in
    any place where random users can list the directory, let alone
    read the files.  Probably it should require pretty high privilege
    to read, like root or the httpd user if there is one.  /etc/passwd 
    is a very bad idea.  :-)

    Hua> And also the manual is rather mixed up with bits and pieces
    Hua> of information without any clear logic. It seems it takes me
    Hua> ages to interpret the manual. Could anyone tell me how to

Bad sign.  Apache HTTPd also has per-user authorization, but I don't
know if the docs are any better.  It's worth a look.  If you don't
understand the docs for a security feature, then you don't understand
your security.  Not good.

    Hua> lock some www homepages to someone, some group, or some IP's.
    Hua> Also it is not clear how to use this password authentifica-
    Hua> tion system with .www_acl file. Are they different systems?

If the docs don't make this clear, they're probably different
systems.  .www_acl is probably like .htaccess under NCSA.  Try reading 
the NCSA docs.  They're quite good, and they'll help with the
understanding of concepts although not implementation.

    Hua> It seems locking www homepage hasn't to do with firewall
    Hua> business at all. Is that so? If someone help me, showing me

True.  Firewalls, in the common meaning, are network-level solutions,
which make restrictions based on the endpoints of a connection and the 
service (port) used.  The home page locking is evidently an
authentication-based scheme.

    Hua> how to do this step by step, I am jolly glad.  Incidentally,
    Hua> the present circumstance is that I am using two Linux
    Hua> servers. B is mounted on A where httpd is running.  I put all
    Hua> httpd_docs files in B. In that case I should use htadm in A
    Hua> machine I presume(I am not running httpd in B).  Thanks in
    Hua> advance.

You use htadm whereever the server's password file is accessible.
Presumably A is easiest.

Hope this helps.

-- 
                            Stephen J. Turnbull
Institute of Policy and Planning Sciences                    Yaseppochi-Gumi
University of Tsukuba                      http://turnbull.sk.tsukuba.ac.jp/
Tel: +81 (298) 53-5091;  Fax: 55-3849              turnbull@example.com
-----------------------------------------------------------------
a word from the sponsor will appear below
-----------------------------------------------------------------
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System.  Now offering 20,000 yen/year flat
rate Internet access with no time charges.  Full line of corporate
Internet and intranet products are available.   info@example.com
Tel: 03-3351-5977   Fax: 03-3353-6096