nsperm - NaviServer Permissions and Access Control Guide
NaviServer allows you to define users and groups of users, and assign permission records to individual pages or entire page hierarchies. NaviServer users are distinct from operating system users. A permission record lets you allow or disallow lists of users, lists of groups, and lists of hosts for a method and URL combination.
NaviServer requires one special user, nsadmin. This user is always allowed access to any URL on a NaviServer. The nsadmin user is similar to the Unix root user.
NaviServer is configured by default with the nsadmin user, a system group, a public group, and a users group.
You can change the permissions given to the system, public, and users groups and assign users to them by following the procedures described in this chapter.
NaviServer users are identified by short usernames. These usernames can be any name you choose; they are completely independent of the Unix login accounts. New users can be assigned subdirectories of the NaviServer pages directory where they can store content.
To define NaviServer users, you need to create entries for them in the passwd file, which resides in the /modules/nsperm directory. The default passwd file contains:
"":::::: nsadmin:CUdnvgBYocLSI::::: nobody::::::
The format is the same as the format for the /etc/passwd file. NaviServer ignores all but the first two fields, which are the username and the encrypted password. The password itself is encrypted the same way as Unix passwords.
The "" user is the unauthenticated user and is treated the same as any other user.
To define NaviServer groups, you need to create entries for them in the group file, which resides in the /modules/nsperm directory. The default group file contains:
system:::nsadmin users:::nsadmin,nobody all:::nsadmin,nobody,"" public:::""
The format is the same as the format for the /etc/group file. NaviServer ignores all but the first and last fields, which are the name of the group and a comma-separated list of users in the group.
The default group file, shown above, creates groups called system, users, all, and public, with the listed users in each.
Permission records indicate the allowed access for a particular URL and method (GET, and PUT). GET access to a URL allows the user to display the page, or submit information in a form. PUT access allows the user to write to the page or delete the page.
Once you have defined authorized NaviServer users and groups, you can maintain NaviServer permission records. Normally, only nsadmin and users in the system group can set permission records directly.
To simplify the permission structure and reduce the number of permission records you need to maintain, you can specify that a permission record is inherited by more specific URLs. For example, a permission record for /a/b would be inherited by /a/b/c.htm if there is no specific permission record for /a/b/c.htm.
To define NaviServer permissions for users and groups, you need to create permission entries for them in the perms file, which resides in the /modules/nsperm directory. The default perms file does not contain any permission entries, but it contains the following comments, which explain how to add entries to the file:
# This is the NaviServer perms file which defines which users # and groups may or may not visit certain URLs. # # The format is: # ACTION INHERITANCE METHOD URL ENTITY # # ACTION can be: denygroup, allowgroup, denyuser, or allowuser # INHERITANCE can be: inherit or noinherit # METHOD can be: PUT, GET, POST, or any other supported method. # URL is the path relative to pageroot, e.g., /index.html or # /images # ENTITY is either the name of a user or group, as specified in # the passwd and group files. # # Example: # denyuser inherit GET /NS "" # allowuser inherit GET /NS nsadmin
You can specifically allow hosts to log in as certain users. The hosts.allow file, which resides in the /modules/nsperm directory, allows you to specify which hosts may log in as certain users. The default hosts.allow file contains:
# # This is the NaviServer hosts.allow file. It allows you to specify # which hosts may log in as certain users. If you have an entry # in this file for a given user, you may not have an entry in # hosts.deny for that same user. # # nsadmin: 10.0.0.0/8, ::1/64, .internal.mycompany.com, home.me.com
The format for entries in the file is:
username: host, host, host ...
where username is a user defined in the passwd file and host can be specified in either of these forms:
ipaddress/netmask
For example, a host specified as 10.0.0.0/8 (which is the same as 10.0.0.0/255.0.0.0) matches any IP address that begins with 10.
a fully-qualified hostname
For example, foo.bar.com.
part of a hostname
For example, .bar.com, which would match anything ending in .bar.com.
Any user in this file must be coming from one of the listed addresses to gain access.
You can specifically deny hosts from logging in as certain users. The hosts.deny file, which resides in the /modules/nsperm directory, allows you to specify which hosts cannot log in as certain users. The default hosts.deny file contains:
# # This is the NaviServer hosts.deny file. It allows you to specify # which hosts may not log in as certain users. If you have an # entry in this file for a given user, you may not have an entry # in hosts.allow for that same user. # # Example: # # nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/24 #
The format for entries in the file is:
username: host, host, host ...
where username is a user defined in the passwd file and host can be specified in either of these forms:
ipaddress/netmask
For example, a host specified as 10.0.0.0/8 matches any IP address that begins with 10.
a fully-qualified hostname
For example, foo.bar.com.
part of a hostname
For example, .bar.com, which would match anything ending in .bar.com.
This mode is similar to Apache but more simpler and limited in functionality. It supports only allowing and denying access to a particular directory.
To enable this
ns_section ns/server/$server/module/nsperm { ns_param htaccess true ns_param passwdfile /usr/local/ns/modules/nsperm/passwd }
passwdfile can point to any file, by default it set to default nsperm module password file. Now, in the directory where access is wanted, create .htaccess file and add lines like these:
allow vlad john deny steve