Waldorf Security HOWTO

Overview

There are two types of security that you have to worry about.
  1. Web Security
  2. Waldorf Security

Web Security

This section will tell you how you can protect your website from unwanted access.

There are many ways to protect your website (cookies, javascript, etc.) but the easiest is to let the web server do it for you. This is not extremely secure but it is much better then nothing and much easier to implement than the other options.  The webserver will allow you to establish a typical username/password authentication scheme for your website.  Then when someone tries to view your web pages, the web server will present them with an authentication dialog like this:

web authenticate dialog screenshot

There are two files you need to create in order to establish this security: .htpasswd and .htaccess.

Creating the .htpasswd file

The easiest way to create .htpasswd file is with the htpasswd command. Unfortunately htpasswd is not in the path on waldorf so you are going to have to type the entire path by hand.
  1. Login to your waldorf account and change to your www directory.
  2. Enter the command: /usr/apache/bin/htpasswd -c .htpasswd cpe206student
    The value cpe206student becomes the username you want the user to provide in the dialog above.
  3. The system will respond with a prompt for "New Password" to which you reply with the password you want the user to provide in the dialog shown above.   Usually the instructor will supply you with a desired password.
  4. You will need to enter the password a second time for confirmation.
  5. You can type cat .htpasswd to verify the password file was properly created.
  6. Set the file permissions for the .htpasswd file to read-only for group and others:
    chmod og+r .htpasswd
  7. This is the password file that will govern access to your webpage.  For the purposes of this class is shouldn't be necessary to create more than one username, but if you do, consult the apache man page for the htpasswd command.
To add Dr. Dalbey to the .htpasswd file:
  1. Edit the .htpassword
  2. Copy jd:FG//bg762tOC.
  3. paste then into the password file on the next line

Create the .htaccess file

Use a text editor to create a file called .htaccess in your www directory with the following info in it:
AuthUserFile <path to .httpasswd>
AuthGroupFile /dev/null
AuthName TeamXwebsite
AuthType Basic

Require valid-user
  1. The AuthUserFile line tells the web server where the password file is located. Replace <path to .httpasswd> with the full path name of the location where you created the .htpasswd file, for example: 
    /users/cscstd/qrst/team-jdX/www/.htpasswd
  2. Enter the second line, AuthGroupFile, just as shown.
  3. The AuthName line contains the value to be displayed in the prompt in the dialog shown above. (No embedded blanks allowed.)
  4. Enter the fourth line and fifth lines exactly as shown.
  5. Set the file permissions for the .htaccess file to read-only for group and others:
    chmod og+r .htaccess

To learn about all the features of  the .htaccess file refer to this Guide to .htaccess.

Waldorf Security

In the previous section you established security for people using web browsers to view your documents.  The next level of security is to protect your documents from other waldorf account users. For unprotected websites, the unix file permissions can be world readable since you want anybody to be able to read your pages. However, now you want your data to only be accessible by the web server.

To check your web directory:
ls -ld ~/www
If the permissions on the directory are "drwxr-xr-x" or "drwx--x--x"
other waldorf  users are able to read your files.

You want to allow the web server but not other users access to your files, and normal unix file permissions aren't restrictive enough.  So we will use another authorization scheme called Access Control Lists (ACL).

Using setfacl


First we will restrict access on the ~/www directory to the user (that's you) only.
chmod 700 ~/www
The setfacl command allows you to establish a list of specific users for whom you want to grant file permissions. Using an access control list you can make a special exception to allow the web server (who runs as user "nobody") to read files, but no one else. This is necessary for the web server to display your files. 

   setfacl -m user:nobody:r-x ~/www
   setfacl -m mask:r-x ~/www
Now the only users allowed to read files in your ~/www directory are yourself and the web server. Verify what has been done with the 'getfacl':
getfacl ~/www
# file: /home/cscstd/qrst/team-jdX/www
# owner: team-jdX
# group: cscstd
user::rwx
user:nobody:r-x #effective:r-x
group::--- #effective:---
mask:r-x
other:---

Now, since only the webserver and the user have passthrough access, you can set the permissions on all the files under that directory as freely as you want, and only the webserver and you can access the files.

Securing CVS

Access Control Lists are also useful to limit access to your team CVS repository to your group members only.

For your cvsroot directory (if your cvs root directory is called something else, substitute that directory for cvsroot).
   chmod 0700 cvsroot
   setfacl -m mask:rwx cvsroot
   setfacl -m user:jdalbey:rwx cvsroot
   setfacl -m user:username1:rwx cvsroot
   setfacl -m user:username2:rwx cvsroot
And so on.



What to do if things no worky

  1. Make sure you can ls the directory (www or cvsroot) from a user account.
  2. If not, set the permissions of your home directory (either set them for world or use setfacl to set permissions for the web server).
  3. Read the man pages.


Home