AOLserver Permissions and Access Control Guide

$Header: /cvsroot/aolserver/aolserver.com/docs/admin/nsperm.html,v 1.2 2002/09/26 19:51:32 kriston Exp $

Access Control

AOLserver allows you to define users and groups of users, and assign permission records to individual pages or entire page hierarchies. AOLserver users are distinct from operating system users. A permission record lets you allow or disallow lists of users, lists of groups, and lists of hosts for a method and URL combination.

AOLserver requires one special user, nsadmin. This user is always allowed access to any URL on an AOLserver. The nsadmin user is similar to the Unix root user.

AOLserver is configured by default with the nsadmin user, a system group, a public group, and a users group.

You can change the permissions given to the system, public, and users groups and assign users to them by following the procedures described in this chapter.

Users and Groups

AOLserver users are identified by short user names. These user names can be any name you choose; they are completely independent of the Unix login accounts. New users can be assigned subdirectories of the AOLserver pages directory where they can store content.

Defining Users

To define AOLserver users, you need to create entries for them in the passwd file, which resides in the /modules/nsperm directory. The default passwd file contains:

""::::::
nsadmin:CUdnvgBYocLSI:::::
nobody::::::

The format is the same as the format for the /etc/passwd file. AOLserver ignores all but the first two fields, which are the user name and the encrypted password. The password itself is encrypted the same way as Unix passwords.

The "" user is the unauthenticated user and is treated the same as any other user.

Defining Groups

To define AOLserver groups, you need to create entries for them in the group file, which resides in the /modules/nsperm directory. The default group file contains:

system:::nsadmin
users:::nsadmin,nobody
all:::nsadmin,nobody,""
public:::""

The format is the same as the format for the /etc/group file. AOLserver ignores all but the first and last fields, which are the name of the group and a comma-separated list of users in the group.

The default group file, shown above, creates groups called system, users, all, and public, with the listed users in each.

Permissions

Permission records indicate the allowed access for a particular URL and method (GET, and PUT). GET access to an URL allows the user to display the page, or submit information in a form. PUT access allows the user to write to the page or delete the page.

Once you have defined authorized AOLserver users and groups, you can maintain AOLserver permission records. Normally, only nsadmin and users in the system group can set permission records directly.

Permissions Inheritance

To simplify the permission structure and reduce the number of permission records you need to maintain, you can specify that a permission record is inherited by more specific URLs. For example, a permission record for /a/b would be inherited by /a/b/c.htm if there is no specific permission record for /a/b/c.htm.

Setting Permissions for Users and Groups

To define AOLserver permissions for users and groups, you need to create permission entries for them in the perms file, which resides in the /modules/nsperm directory. The default perms file does not contain any permission entries, but it contains the following comments, which explain how to add entries to the file:

# This is the AOLserver perms file which defines which users
# and groups may or may not visit certain URLs.
#
# The format is:
# ACTION  INHERITANCE  METHOD  URL  ENTITY
#
# ACTION can be: denygroup, allowgroup, denyuser, or allowuser
# INHERITANCE can be: inherit or noinherit
# METHOD can be: PUT, GET, POST, or any other supported method.
# URL is the path relative to pageroot, e.g., /index.html or
# /images
# ENTITY is either the name of a user or group, as specified in
# the passwd and group files.
#
# Example:
# denyuser  inherit GET /NS ""
# allowuser inherit GET /NS nsadmin

Allowing Hosts

You can specifically allow hosts to log in as certain users. The hosts.allow file, which resides in the /modules/nsperm directory, allows you to specify which hosts may log in as certain users. The default hosts.allow file contains:

#
# This is the AOLserver hosts.alow file. It allows you to specify
# which hosts may log in as certain users. If you have an entry
# in this file for a given user, you may not have an entry in
# hosts.deny for that same user.
#
# Example:
#
# nsadmin: 10.0.0.0/255.0.0.0, .internal.mycompany.com, home.me.com
#

The format for entries in the file is:
username: host, host, host ...

where username is a user defined in the passwd file and host can be specified in either of these forms:

* ipaddress/netmask

For example, a host specified as 10.0.0.0/255.0.0.0 matches any IP address that begins with 10.

* a fully-qualified host name

For example, foo.bar.com.

* part of a host name

For example, .bar.com, which would match anything ending in .bar.com.

Any user in this file must be coming from one of the listed addresses to gain access.

Denying Hosts

You can specifically deny hosts from logging in as certain users. The hosts.deny file, which resides in the /modules/nsperm directory, allows you to specify which hosts cannot log in as certain users. The default hosts.deny file contains:

#
# This is the AOLserver hosts.deny file. It allows you to specify
# which hosts may not log in as certain users. If you have an
# entry in this file for a given user, you may not have an entry
# in hosts.allow for that same user.
#
# Example:
#
# nsadmin: hacker.badguy.com, .aol.com, 10.2.114.0/255.255.255.0
#

The format for entries in the file is:

username: host, host, host ...

where username is a user defined in the passwd file and host can be specified in either of these forms:

* ipaddress/netmask

For example, a host specified as 10.0.0.0/255.0.0.0 matches any IP address that begins with 10.

* a fully-qualified host name

For example, foo.bar.com.

* part of a host name

For example, .bar.com, which would match anything ending in .bar.com.