How to protect your cgi-bin directory in AFS

From Web Services Wiki

Revision as of 10:11, 2 October 2008 by Mrmarco (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

Contents

Problem

You want to lock down your cgi-bin directory in AFS so that only people you specify have access to the files. This is especially important if you have passwords stored in plain text, such as in a script that connects to a database or an external server.

Solution

Set the bare minimum permissions for a script to execute

The following is a list of suggested permissions which grant the web servers, backup servers, and your group, department, or personal CGI principal read and list access. Also, it grants full access to system administrators and your own account or group.

Normal rights:
  system:cgi-servers rl
  system:backup rl
  system:administrators rlidwka
  [your_sunetid_or_pts_group] rlidwka
  [cgi_principal_name].cgi rl

First, remove all unnecessary permissions from your cgi-bin. Using a shell, log in and enter the cgi-bin directory. Use fs la to list the current permissions.

  • Use the command fs sa . [name] none to remove all permissions from a particular entity.
  • Example: fs sa . system:anyuser none

Next, set the appropriate permissions to match the example above.

  • For example, to give your group, department, or personal CGI principal only read and list access, use the command fs sa . [cgi_principal_name].cgi rl

Create a PTS group to give additional users access to the directory

Visit IT Services to learn how to create a PTS group. Creating a group is a convenient way to manage multiple users.

Once a PTS group has been created, add it to the ACL as you would any other entity.

  • To give read and list access to a group that you created, use the command fs sa . [account_name]:[group_name] rl

For more information

Personal tools