Mercurial > notdcc
comparison cgi-bin/README @ 0:c7f6b056b673
First import of vendor version
| author | Peter Gervai <grin@grin.hu> |
|---|---|
| date | Tue, 10 Mar 2009 13:49:58 +0100 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:c7f6b056b673 |
|---|---|
| 1 Sample CGI scripts for managing per-user dccm, dccifd, and dccproc whitelists | |
| 2 and logs. | |
| 3 Each user with a white list directory can | |
| 4 - browse logged messages | |
| 5 - point-and-click to add checksums from logged messages to an | |
| 6 individual white list | |
| 7 - choose to receive a daily notice about messages since the user's | |
| 8 log was last checked, but no more than one notice per week | |
| 9 when the log is not checked. | |
| 10 | |
| 11 ............................................................................... | |
| 12 | |
| 13 newwebuser see misc/README | |
| 14 It is installed in the DCC libexec directory | |
| 15 instead of the cgi-bin directory so that the HTTP | |
| 16 server need not be tempted by distant users to | |
| 17 execute it. | |
| 18 | |
| 19 webuser-notify send a mail message notifying a user of new DCC log | |
| 20 files. This file must be edited, copied to the DCC | |
| 21 libexec directory, and made executable so that the | |
| 22 DCC cron script can use it. | |
| 23 | |
| 24 common utility functions | |
| 25 | |
| 26 header common HTML used near top of the web pages | |
| 27 footer common HTML used near bottom of the web pages | |
| 28 The scripts look first for a copy of the file | |
| 29 in the per-user directory and then in the cgi-bin | |
| 30 directory. | |
| 31 | |
| 32 list-log list a user's log files | |
| 33 | |
| 34 list-msg list a single message among the log files | |
| 35 | |
| 36 edit-whiteclnt edit a user's white list file | |
| 37 | |
| 38 chgpasswd change a user's password. | |
| 39 BEWARE that this script users `htpasswd -b` which | |
| 40 momentarily exposes passwords to other users on the | |
| 41 system using the `ps` command. On systems with user | |
| 42 shell accounts, this script should be turned off or | |
| 43 replaced with something like the HTTPD::UserAdmin | |
| 44 Perl module. To get it to work at all, you may need | |
| 45 to adjust $PATH to reach htpasswd. | |
| 46 | |
| 47 http2https CGI script to redirect HTTP accesses to HTTPS. | |
| 48 | |
| 49 ............................................................................... | |
| 50 | |
| 51 | |
| 52 These scripts are intended to be portable and usable instead of fast or fancy. | |
| 53 Large organizations should consider perl_mod, templates, and so forth. | |
| 54 | |
| 55 Instead of modifying them in place, copying them to a directory other | |
| 56 than /var/dcc/cgi-bin will avoid difficulties when installing new | |
| 57 versions of the DCC. | |
| 58 | |
| 59 They are intended to be used with dccm and dccifd, but can be used with dccproc | |
| 60 if dccproc is told to follow the per-user logging and whitelist | |
| 61 conventions used by dccm or dccifd with | |
| 62 dccproc -E -l /var/dcc/userdirs/local/$USER/log \ | |
| 63 -w /var/dcc/userdirs/local/$USER/whiteclnt | |
| 64 It might be good to use the "include" facility to add a global | |
| 65 whiteclnt file to those per-user files. The /var/dcc/libexec/newwebuser | |
| 66 script starts per-user whiteclnt files from a prototype file and creates | |
| 67 a log directory. | |
| 68 It is not necessary to include the global whiteclnt file in each per-user | |
| 69 file with dccm or dccifd. The global whiteclnt file is consulted if a | |
| 70 per-user's file fails to yield a black or white answer. | |
| 71 | |
| 72 These scripts base their decisions about which additional or | |
| 73 "subsititute" headers to show on the -S parameters in DCCM_ARGS in | |
| 74 /var/dcc/dcc_conf. If you are not use dccm or dccifd but are using dccproc, | |
| 75 you must still set DCCM_ARGS for any local substitute SMTP headers. | |
| 76 Less likely to be useful SMTP headers such as non-null Message-IDs are | |
| 77 not supported to avoid confusing end-users. | |
| 78 | |
| 79 The log directory and whitelist for a local user in .../userdirs/local/name | |
| 80 are mapped to the htpasswd username "name", while those for remote | |
| 81 users in such as .../userdirs/esmtp/xxx@example.com are mapped to | |
| 82 esmtp/name@example.com | |
| 83 | |
| 84 These scripts should be installed and protected with an equivalent to the | |
| 85 following in httpd.conf with Apache: | |
| 86 ScriptAlias /DCC-cgi-bin/ /var/dcc/cgi-bin/ | |
| 87 <Directory /var/dcc/cgi-bin/> | |
| 88 Order deny,allow | |
| 89 allow from all | |
| 90 AuthType Basic | |
| 91 AuthName "DCC user" | |
| 92 SetEnv AuthName "DCC user" | |
| 93 AuthUserFile /var/dcc/userdirs/webusers | |
| 94 require valid-user | |
| 95 # | |
| 96 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP | |
| 97 SSLRequireSSL | |
| 98 # install the http2http2 script in your main /cgi-bin/ directory and | |
| 99 # add something like the following line to redirect HTTP to HTTPS | |
| 100 # ErrorDocument 403 /cgi-bin/http2https | |
| 101 </Directory> | |
| 102 | |
| 103 Httpd must be able to read and write the per-user files and directories, | |
| 104 usually by sharing a GID with the DCC user and having the directories | |
| 105 writable-by-group. By default, the newwebuser script uses the group www. | |
| 106 | |
| 107 | |
| 108 This scripts can be used with the main client DCC log directory and whitelist by | |
| 109 | |
| 110 1. let httpd read the main DCC log files. | |
| 111 Make the /var/dcc/log directory readable and searchable by 'group' | |
| 112 but neither searchable nor readable by 'other'. | |
| 113 Give the log directory the group used by httpd. | |
| 114 On SVR4 and Solaris systems, also make the directory set-GID | |
| 115 | |
| 116 2. use `/var/dcc/libexec/newwebuser %postmaster` | |
| 117 to recreate a per-user directory for a local username that is | |
| 118 invalid and will not be hit by spammer dictionary attacks | |
| 119 | |
| 120 3. replace the resulting userdirs/local/%postmaster/log directory with a | |
| 121 symbolic link to the main log directory: | |
| 122 rmdir /var/dcc/userdirs/local/%postmaster/log | |
| 123 ln -s ../../../log /var/dcc/userdirs/local/%postmaster/log | |
| 124 | |
| 125 4. replace the resulting userdirs/%postmaster/whiteclnt file with a | |
| 126 symbolic link to the DCC client white list: | |
| 127 rm /var/dcc/userdirs/local/%postmaster/whiteclnt | |
| 128 ln -f -s ../../../whiteclnt /var/dcc/userdirs/local/%postmaster | |
| 129 | |
| 130 ensure that the /var/dcc/whiteclnt file can be read and written | |
| 131 by the httpd group. If you don't trust your httpd daemon, | |
| 132 it might be best to forget this idea. | |
| 133 | |
| 134 5. follow the hints above for installing the sample CGI scripts. | |
| 135 | |
| 136 | |
| 137 Rhyolite Software DCC 1.3.103-1.12 $Revision$ |