nsperm - NaviServer Permissions and Access Control Guide
This document details the configuration of the NaviServer module nsperm. This optional module provides simple authentication and access control capabilities by loading permission data from Unix‐like plain text files into memory, which can then be queried and updated via the ns_perm API.
Note that NaviServer does not include a fixed, hard-wired permission system; instead, it employs a modular design. For example, NaviServer-based instances of OpenACS utilize a more advanced and scalable permission system based on relational databases, capable of handling millions of users.
NaviServer allows you to define users and groups, and to assign permission records to individual pages or entire page hierarchies. NaviServer users are distinct from operating system users. A permission record specifies whether to allow or deny access for a list of users, groups, or hosts for a given HTTP method and URL combination.
A special user, "nsadmin", is required by NaviServer. This user is always granted access to all URLs on the instance, functioning similarly to the Unix root user.
By default, NaviServer is preconfigured with the "nsadmin" user along with default groups (system, public, and users). You can modify the permissions assigned to these groups and assign users to them by following the procedures described in this chapter.
NaviServer users are identified by short usernames. These usernames can be any name you choose; they are completely independent of the Unix login accounts. New users can be assigned subdirectories of the NaviServer pages directory where they can store content.
NaviServer users are defined by entries in the passwd file, which is located in the /modules/nsperm directory. The default passwd file includes entries similar to the following:
"":::::: nsadmin:ubphBI5lDzSYc::::: nobody::::::
The format follows that of the standard Unix /etc/passwd file; however, NaviServer only utilizes the first two fields—the username and the encrypted password. The password is encrypted in the same manner as Unix passwords.
The entry for the empty username ("") represents the unauthenticated user, which is treated like any other user.
If you need to reset the password for the "nsadmin" user (for example, if you have changed it and later forgotten the new password), you can revert the "nsadmin" entry in the passwd file to the default line shown above.
To define NaviServer groups, you need to create entries for them in the group file, which resides in the /modules/nsperm directory. The default group file contains:
system:::nsadmin users:::nsadmin,nobody all:::nsadmin,nobody,"" public:::""
The format is the same as the format for the common Unix /etc/group file. NaviServer ignores all but the first and last fields, which are the name of the group and a comma-separated list of users in the group.
The default group file, shown above, creates groups called system, users, all, and public, with the listed users in each.
Permission records indicate the allowed access for a particular URL and method (GET, and PUT). GET access to a URL allows the user to display the page, or submit information in a form. PUT access allows the user to write to the page or delete the page.
Once you have defined authorized NaviServer users and groups, you can maintain NaviServer permission records. Normally, only "nsadmin" and users in the system group can set permission records directly.
To simplify the permission structure and reduce the number of permission records you need to maintain, you can specify that a permission record is inherited by more specific URLs. For example, a permission record for /a/b would be inherited by /a/b/c.htm if there is no specific permission record for /a/b/c.htm.
To define NaviServer permissions for users and groups, you need to create permission entries for them in the perms file, which resides in the /modules/nsperm directory. The default perms file does not contain any permission entries, but it contains the following comments, which explain how to add entries to the file:
# This is the NaviServer perms file which defines which users # and groups may or may not visit certain URLs. # # The format is: # ACTION INHERITANCE METHOD URL ENTITY # # ACTION can be: denygroup, allowgroup, denyuser, or allowuser # INHERITANCE can be: inherit or noinherit # METHOD can be: PUT, GET, POST, or any other supported method. # URL is the path relative to pageroot, e.g., /index.html or # /images # ENTITY is either the name of a user or group, as specified in # the passwd and group files. # # Example: # denyuser inherit GET /NS "" # allowuser inherit GET /NS nsadmin
You can specifically allow hosts to log in as certain users. The hosts.allow file, which resides in the /modules/nsperm directory, allows you to specify which hosts may log in as certain users. The default hosts.allow file contains:
# # This is the NaviServer hosts.allow file. It allows you to specify # which hosts may log in as certain users. If you have an entry # in this file for a given user, you may not have an entry in # hosts.deny for that same user. # # nsadmin: 10.0.0.0/8, ::1/64, .internal.mycompany.com, home.me.com
The format for entries in the file is:
username: host, host, host ...
where username is a user defined in the passwd file and host can be specified in either of these forms:
ipaddress/netmask
For example, a host specified as 10.0.0.0/8 (which is the same as 10.0.0.0/255.0.0.0) matches any IP address that begins with 10.
a fully-qualified hostname
For example, foo.bar.com.
part of a hostname
For example, .bar.com, which would match anything ending in .bar.com.
Any user in this file must be coming from one of the listed addresses to gain access.
You can specifically deny hosts from logging in as certain users. The hosts.deny file, which resides in the /modules/nsperm directory, allows you to specify which hosts cannot log in as certain users. The default hosts.deny file contains:
# # This is the NaviServer hosts.deny file. It allows you to specify # which hosts may not log in as certain users. If you have an # entry in this file for a given user, you may not have an entry # in hosts.allow for that same user. # # Example: # # nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/24 #
The format for entries in the file is:
username: host, host, host ...
where username is a user defined in the passwd file and host can be specified in either of these forms:
ipaddress/netmask
For example, a host specified as 10.0.0.0/8 matches any IP address that begins with 10.
a fully-qualified hostname
For example, foo.bar.com.
part of a hostname
For example, .bar.com, which would match anything ending in .bar.com.
This mode is similar to Apache but more simpler and limited in functionality. It supports only allowing and denying access to a particular directory.
To enable this
ns_section ns/server/$server/module/nsperm {
ns_param htaccess true
ns_param passwdfile /usr/local/ns/modules/nsperm/passwd
}
passwdfile can point to any file, by default it set to default nsperm module password file. Now, in the directory where access is wanted, create .htaccess file and add lines like these:
allow vlad john deny steve