notdcc: cgi-bin/README annotate

annotate cgi-bin/README @ 2:f6716cb00029

Replace buggy stuff in deb dir, never make phone calls while working

author	Peter Gervai <grin@grin.hu>
date	Tue, 10 Mar 2009 14:29:12 +0100
parents	c7f6b056b673
children

rev	line source
0 c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	1 Sample CGI scripts for managing per-user dccm, dccifd, and dccproc whitelists
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	2 and logs.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	3 Each user with a white list directory can
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	4 - browse logged messages
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	5 - point-and-click to add checksums from logged messages to an
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	6 individual white list
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	7 - choose to receive a daily notice about messages since the user's
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	8 log was last checked, but no more than one notice per week
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	9 when the log is not checked.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	10
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	11 ...............................................................................
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	12
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	13 newwebuser see misc/README
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	14 It is installed in the DCC libexec directory
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	15 instead of the cgi-bin directory so that the HTTP
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	16 server need not be tempted by distant users to
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	17 execute it.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	18
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	19 webuser-notify send a mail message notifying a user of new DCC log
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	20 files. This file must be edited, copied to the DCC
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	21 libexec directory, and made executable so that the
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	22 DCC cron script can use it.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	23
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	24 common utility functions
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	25
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	26 header common HTML used near top of the web pages
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	27 footer common HTML used near bottom of the web pages
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	28 The scripts look first for a copy of the file
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	29 in the per-user directory and then in the cgi-bin
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	30 directory.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	31
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	32 list-log list a user's log files
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	33
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	34 list-msg list a single message among the log files
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	35
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	36 edit-whiteclnt edit a user's white list file
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	37
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	38 chgpasswd change a user's password.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	39 BEWARE that this script users `htpasswd -b` which
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	40 momentarily exposes passwords to other users on the
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	41 system using the `ps` command. On systems with user
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	42 shell accounts, this script should be turned off or
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	43 replaced with something like the HTTPD::UserAdmin
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	44 Perl module. To get it to work at all, you may need
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	45 to adjust $PATH to reach htpasswd.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	46
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	47 http2https CGI script to redirect HTTP accesses to HTTPS.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	48
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	49 ...............................................................................
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	50
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	51
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	52 These scripts are intended to be portable and usable instead of fast or fancy.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	53 Large organizations should consider perl_mod, templates, and so forth.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	54
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	55 Instead of modifying them in place, copying them to a directory other
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	56 than /var/dcc/cgi-bin will avoid difficulties when installing new
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	57 versions of the DCC.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	58
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	59 They are intended to be used with dccm and dccifd, but can be used with dccproc
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	60 if dccproc is told to follow the per-user logging and whitelist
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	61 conventions used by dccm or dccifd with
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	62 dccproc -E -l /var/dcc/userdirs/local/$USER/log \
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	63 -w /var/dcc/userdirs/local/$USER/whiteclnt
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	64 It might be good to use the "include" facility to add a global
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	65 whiteclnt file to those per-user files. The /var/dcc/libexec/newwebuser
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	66 script starts per-user whiteclnt files from a prototype file and creates
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	67 a log directory.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	68 It is not necessary to include the global whiteclnt file in each per-user
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	69 file with dccm or dccifd. The global whiteclnt file is consulted if a
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	70 per-user's file fails to yield a black or white answer.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	71
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	72 These scripts base their decisions about which additional or
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	73 "subsititute" headers to show on the -S parameters in DCCM_ARGS in
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	74 /var/dcc/dcc_conf. If you are not use dccm or dccifd but are using dccproc,
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	75 you must still set DCCM_ARGS for any local substitute SMTP headers.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	76 Less likely to be useful SMTP headers such as non-null Message-IDs are
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	77 not supported to avoid confusing end-users.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	78
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	79 The log directory and whitelist for a local user in .../userdirs/local/name
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	80 are mapped to the htpasswd username "name", while those for remote
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	81 users in such as .../userdirs/esmtp/xxx@example.com are mapped to
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	82 esmtp/name@example.com
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	83
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	84 These scripts should be installed and protected with an equivalent to the
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	85 following in httpd.conf with Apache:
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	86 ScriptAlias /DCC-cgi-bin/ /var/dcc/cgi-bin/
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	87 <Directory /var/dcc/cgi-bin/>
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	88 Order deny,allow
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	89 allow from all
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	90 AuthType Basic
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	91 AuthName "DCC user"
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	92 SetEnv AuthName "DCC user"
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	93 AuthUserFile /var/dcc/userdirs/webusers
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	94 require valid-user
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	95 #
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	96 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	97 SSLRequireSSL
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	98 # install the http2http2 script in your main /cgi-bin/ directory and
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	99 # add something like the following line to redirect HTTP to HTTPS
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	100 # ErrorDocument 403 /cgi-bin/http2https
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	101 </Directory>
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	102
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	103 Httpd must be able to read and write the per-user files and directories,
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	104 usually by sharing a GID with the DCC user and having the directories
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	105 writable-by-group. By default, the newwebuser script uses the group www.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	106
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	107
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	108 This scripts can be used with the main client DCC log directory and whitelist by
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	109
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	110 1. let httpd read the main DCC log files.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	111 Make the /var/dcc/log directory readable and searchable by 'group'
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	112 but neither searchable nor readable by 'other'.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	113 Give the log directory the group used by httpd.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	114 On SVR4 and Solaris systems, also make the directory set-GID
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	115
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	116 2. use `/var/dcc/libexec/newwebuser %postmaster`
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	117 to recreate a per-user directory for a local username that is
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	118 invalid and will not be hit by spammer dictionary attacks
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	119
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	120 3. replace the resulting userdirs/local/%postmaster/log directory with a
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	121 symbolic link to the main log directory:
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	122 rmdir /var/dcc/userdirs/local/%postmaster/log
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	123 ln -s ../../../log /var/dcc/userdirs/local/%postmaster/log
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	124
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	125 4. replace the resulting userdirs/%postmaster/whiteclnt file with a
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	126 symbolic link to the DCC client white list:
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	127 rm /var/dcc/userdirs/local/%postmaster/whiteclnt
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	128 ln -f -s ../../../whiteclnt /var/dcc/userdirs/local/%postmaster
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	129
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	130 ensure that the /var/dcc/whiteclnt file can be read and written
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	131 by the httpd group. If you don't trust your httpd daemon,
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	132 it might be best to forget this idea.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	133
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	134 5. follow the hints above for installing the sample CGI scripts.
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	135
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	136
c7f6b056b673 First import of vendor version Peter Gervai <grin@grin.hu> parents: diff changeset	137 Rhyolite Software DCC 1.3.103-1.12 $Revision$

Mercurial > notdcc

annotate cgi-bin/README @ 2:f6716cb00029