ns_perm - Add users, groups, and permissions
ns_perm implements a command set for simple password and group management for NaviServer.
Adds a new user to the in-memory users database. When a passwd file is given, this command is used to load the users from this file. The user is identified by the specified name, and the provided encrypted password encpass and additional user information (userfield) are stored in the database.
If the -allow option is used along with one or more hostnames, the user is granted access only on the specified hosts.
If the -deny option is used along with hostnames, access for the user is explicitly denied on those hosts. Hostnames can be specified as an IP address with netmask (e.g., 128.2.142.0/255.255.255.0), a fully qualified domain name (e.g., www.microsoft.com), or as a domain pattern (e.g., .microsoft.com).
128.2.142.0/255.255.255.0 or www.microsoft.com or .microsoft.com.
-salt By default, the password provided in encpass is assumed to be already encrypted with the ns_crypt command using the salt CU. When the -salt is specified, the encpass argument is treated as clear text and will be encrypted using the specified salt via ns_crypt.
ns_crypt mypasswd CU
The -clear indicates that the password should be stored in clear text rather than encrypted.
Removes the user with the given name from the users database.
Creates a new group identified by group and adds the specified user(s) (user and any additional users) to that group.
Deletes the group identified by name from the system.
Allows the specified user(s) to access the combination of the HTTP method and url. If -noinherit is specified, only the exact URL is matched; otherwise, all URLs under the given URL are permitted.
Denies access for the specified user(s) to the given HTTP method and url. With -noinherit, the restriction applies only to the exact URL; without it, all URLs beneath the given URL are denied.
Grants access for the specified group(s) to the HTTP method and url. The -noinherit behaves as described above.
Denies access for the specified group(s) to the HTTP method and url. When -noinherit is used, only the exact URL is affected; otherwise, the rule applies recursively to subordinate URLs.
Verifies that the given plain-text passwd is correct for the user specified by user. If the password does not match, a Tcl error is thrown.
Updates the password for the user specified by user to the new encrypted password encpass. If a salt is provided, the password is expected to be in clear text and will be encrypted using ns_crypt with the given salt.
Returns a Tcl list of all users in the system. For each user, the list includes three elements: the username, the encrypted password, and the user's permissions.
Returns a Tcl list of all registered groups. Each group is represented by its group name followed by a list of its members.
Returns a Tcl list of all allow/deny rules registered for each URL.
Reloads all nsperm files. Note that on very busy sites this operation may cause temporary authentication failures, as the in-memory permissions are cleared before the files are reloaded from disk.
Updates the password for an existing user both in the running server’s memory and in the persistent passwd file on disk. The user parameter specifies the username whose password is to be updated. The oldpasswd parameter must be provided in plain text and represents either the user's current password or the nsadmin password. The newpasswd parameter is the new password, also supplied in plain text.
The following configuration options are available to control permission module:
This parameter if set to true, enables .htaccess mode, similar to what the Apache web server has but very simple and limited in functionality.
On every request the server looks for .htaccess file in the current request directory and loads it if modified since the last read. The structure of the file is simple:
allow user ... deny user ...
This parameter determines in .htaccess mode which file with users and passwords needs to be checked for modification and reloaded automatically. If .htaccess mode is not active, the parameter is ignored.
ns_section ns/server/$server/module/nsperm {
ns_param htaccess true
ns_param passwdfile /usr/local/ns/modules/nsperm/passwd
}
ns_perm adduser test [ns_crypt testpass ""] TestUser ns_perm adduser -salt CU test2 test TestUser2 ns_perm allowuser GET /Documents test test2