NaviServer - programmable web server
4.99  5.0

[ Main Table Of Contents | Table Of Contents | Keyword Index ]

nsperm(n) 5.0.0a nsperm ""

Name

nsperm - NaviServer Permissions and Access Control Guide

Table Of Contents

Description

Access Control

NaviServer allows you to define users and groups of users, and assign permission records to individual pages or entire page hierarchies. NaviServer users are distinct from operating system users. A permission record lets you allow or disallow lists of users, lists of groups, and lists of hosts for a method and URL combination.

NaviServer requires one special user, nsadmin. This user is always allowed access to any URL on a NaviServer. The nsadmin user is similar to the Unix root user.

NaviServer is configured by default with the nsadmin user, a system group, a public group, and a users group.

You can change the permissions given to the system, public, and users groups and assign users to them by following the procedures described in this chapter.

Users and Groups

NaviServer users are identified by short usernames. These usernames can be any name you choose; they are completely independent of the Unix login accounts. New users can be assigned subdirectories of the NaviServer pages directory where they can store content.

Defining Users

To define NaviServer users, you need to create entries for them in the passwd file, which resides in the /modules/nsperm directory. The default passwd file contains:

 ""::::::
 nsadmin:CUdnvgBYocLSI:::::
 nobody::::::

The format is the same as the format for the /etc/passwd file. NaviServer ignores all but the first two fields, which are the username and the encrypted password. The password itself is encrypted the same way as Unix passwords.

The "" user is the unauthenticated user and is treated the same as any other user.

Defining Groups

To define NaviServer groups, you need to create entries for them in the group file, which resides in the /modules/nsperm directory. The default group file contains:

 system:::nsadmin
 users:::nsadmin,nobody
 all:::nsadmin,nobody,""
 public:::""

The format is the same as the format for the /etc/group file. NaviServer ignores all but the first and last fields, which are the name of the group and a comma-separated list of users in the group.

The default group file, shown above, creates groups called system, users, all, and public, with the listed users in each.

Permissions

Permission records indicate the allowed access for a particular URL and method (GET, and PUT). GET access to a URL allows the user to display the page, or submit information in a form. PUT access allows the user to write to the page or delete the page.

Once you have defined authorized NaviServer users and groups, you can maintain NaviServer permission records. Normally, only nsadmin and users in the system group can set permission records directly.

Permissions Inheritance

To simplify the permission structure and reduce the number of permission records you need to maintain, you can specify that a permission record is inherited by more specific URLs. For example, a permission record for /a/b would be inherited by /a/b/c.htm if there is no specific permission record for /a/b/c.htm.

Setting Permissions for Users and Groups

To define NaviServer permissions for users and groups, you need to create permission entries for them in the perms file, which resides in the /modules/nsperm directory. The default perms file does not contain any permission entries, but it contains the following comments, which explain how to add entries to the file:

 # This is the NaviServer perms file which defines which users
 # and groups may or may not visit certain URLs.
 #
 # The format is:
 # ACTION  INHERITANCE  METHOD  URL  ENTITY
 #
 # ACTION can be: denygroup, allowgroup, denyuser, or allowuser
 # INHERITANCE can be: inherit or noinherit
 # METHOD can be: PUT, GET, POST, or any other supported method.
 # URL is the path relative to pageroot, e.g., /index.html or
 # /images
 # ENTITY is either the name of a user or group, as specified in
 # the passwd and group files.
 #
 # Example:
 # denyuser  inherit GET /NS ""
 # allowuser inherit GET /NS nsadmin

Allowing Hosts

You can specifically allow hosts to log in as certain users. The hosts.allow file, which resides in the /modules/nsperm directory, allows you to specify which hosts may log in as certain users. The default hosts.allow file contains:

 #
 # This is the NaviServer hosts.allow file. It allows you to specify
 # which hosts may log in as certain users. If you have an entry
 # in this file for a given user, you may not have an entry in
 # hosts.deny for that same user.
 #
 #
 nsadmin: 10.0.0.0/8, ::1/64, .internal.mycompany.com, home.me.com

The format for entries in the file is:

 username: host, host, host ...

where username is a user defined in the passwd file and host can be specified in either of these forms:

Any user in this file must be coming from one of the listed addresses to gain access.

Denying Hosts

You can specifically deny hosts from logging in as certain users. The hosts.deny file, which resides in the /modules/nsperm directory, allows you to specify which hosts cannot log in as certain users. The default hosts.deny file contains:

 #
 # This is the NaviServer hosts.deny file. It allows you to specify
 # which hosts may not log in as certain users. If you have an
 # entry in this file for a given user, you may not have an entry
 # in hosts.allow for that same user.
 #
 # Example:
 #
 # nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/24
 #

The format for entries in the file is:

 username: host, host, host ...

where username is a user defined in the passwd file and host can be specified in either of these forms:

.htaccess Mode

This mode is similar to Apache but more simpler and limited in functionality. It supports only allowing and denying access to a particular directory.

To enable this

 ns_section ns/server/$server/module/nsperm {
   ns_param   htaccess   true
   ns_param   passwdfile /usr/local/ns/modules/nsperm/passwd
 }

passwdfile can point to any file, by default it set to default nsperm module password file. Now, in the directory where access is wanted, create .htaccess file and add lines like these:

 allow vlad john
 deny steve

See Also

ns_perm, ns_permpasswd, ns_permreload

Keywords

module, nsperm