view cgi-bin/README @ 5:0a7a5940ee3a

Change description per license
author Peter Gervai <grin@grin.hu>
date Tue, 10 Mar 2009 15:03:24 +0100
parents c7f6b056b673
children
line wrap: on
line source

Sample CGI scripts for managing per-user dccm, dccifd, and dccproc whitelists
and logs.
    Each user with a white list directory can
	- browse logged messages
	- point-and-click to add checksums from logged messages to an
	    individual white list
	- choose to receive a daily notice about messages since the user's
	    log was last checked, but no more than one notice per week
	    when the log is not checked.

...............................................................................

    newwebuser		see misc/README
			It is installed in the DCC libexec directory
			instead of the cgi-bin directory so that the HTTP
			server need not be tempted by distant users to
			execute it.

    webuser-notify	send a mail message notifying a user of new DCC log
			files.  This file must be edited, copied to the DCC
			libexec directory, and made executable so that the
			DCC cron script can use it.

    common		utility functions

    header		common HTML used near top of the web pages
    footer		common HTML used near bottom of the web pages
			The scripts look first for a copy of the file
			in the per-user directory and then in the cgi-bin
			directory.

    list-log		list a user's log files

    list-msg		list a single message among the log files

    edit-whiteclnt	edit a user's white list file

    chgpasswd		change a user's password.
			BEWARE that this script users `htpasswd -b` which
			momentarily exposes passwords to other users on the
			system using the `ps` command.  On systems with user
			shell accounts, this script should be turned off or
			replaced with something like the HTTPD::UserAdmin
			Perl module.  To get it to work at all, you may need
			to adjust $PATH to reach htpasswd.

    http2https		CGI script to redirect HTTP accesses to HTTPS.

...............................................................................


These scripts are intended to be portable and usable instead of fast or fancy.
Large organizations should consider perl_mod, templates, and so forth.

Instead of modifying them in place, copying them to a directory other
    than /var/dcc/cgi-bin will avoid difficulties when installing new
    versions of the DCC.

They are intended to be used with dccm and dccifd, but can be used with dccproc
    if dccproc is told to follow the per-user logging and whitelist
    conventions used by dccm or dccifd with
	dccproc -E -l /var/dcc/userdirs/local/$USER/log \
		-w /var/dcc/userdirs/local/$USER/whiteclnt
    It might be good to use the "include" facility to add a global
    whiteclnt file to those per-user files.  The /var/dcc/libexec/newwebuser
    script starts per-user whiteclnt files from a prototype file and creates
    a log directory.
    It is not necessary to include the global whiteclnt file in each per-user
    file with dccm or dccifd.  The global whiteclnt file is consulted if a
    per-user's file fails to yield a black or white answer.

    These scripts base their decisions about which additional or
    "subsititute" headers to show on the -S parameters in DCCM_ARGS in
    /var/dcc/dcc_conf.  If you are not use dccm or dccifd but are using dccproc,
    you must still set DCCM_ARGS for any local substitute SMTP headers.
    Less likely to be useful SMTP headers such as non-null Message-IDs are
    not supported to avoid confusing end-users.

The log directory and whitelist for a local user in .../userdirs/local/name
    are mapped to the htpasswd username "name", while those for remote
    users in such as .../userdirs/esmtp/xxx@example.com are mapped to
    esmtp/name@example.com

These scripts should be installed and protected with an equivalent to the
following in httpd.conf with Apache:
    ScriptAlias /DCC-cgi-bin/ /var/dcc/cgi-bin/
    <Directory /var/dcc/cgi-bin/>
	Order deny,allow
	allow from all
	AuthType Basic
	AuthName "DCC user"
	SetEnv AuthName "DCC user"
	AuthUserFile /var/dcc/userdirs/webusers
	require valid-user
    #
	SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
	SSLRequireSSL
    # install the http2http2 script in your main /cgi-bin/ directory and
    #	    add something like the following line to redirect HTTP to HTTPS
    #   ErrorDocument 403 /cgi-bin/http2https
    </Directory>

Httpd must be able to read and write the per-user files and directories,
usually by sharing a GID with the DCC user and having the directories
writable-by-group.  By default, the newwebuser script uses the group www.


This scripts can be used with the main client DCC log directory and whitelist by

    1. let httpd read the main DCC log files.
	Make the /var/dcc/log directory readable and searchable by 'group'
	    but neither searchable nor readable by 'other'.
	Give the log directory the group used by httpd.
	On SVR4 and Solaris systems, also make the directory set-GID

    2. use `/var/dcc/libexec/newwebuser %postmaster`
	to recreate a per-user directory for a local username that is
	invalid and will not be hit by spammer dictionary attacks

    3. replace the resulting userdirs/local/%postmaster/log directory with a
	symbolic link to the main log directory:
	    rmdir /var/dcc/userdirs/local/%postmaster/log
	    ln -s ../../../log /var/dcc/userdirs/local/%postmaster/log

    4. replace the resulting userdirs/%postmaster/whiteclnt file with a
	symbolic link to the DCC client white list:
	    rm /var/dcc/userdirs/local/%postmaster/whiteclnt
	    ln -f -s ../../../whiteclnt /var/dcc/userdirs/local/%postmaster

	ensure that the /var/dcc/whiteclnt file can be read and written
	    by the httpd group.  If you don't trust your httpd daemon,
	    it might be best to forget this idea.

    5. follow the hints above for installing the sample CGI scripts.


	Rhyolite Software DCC 1.3.103-1.12 $Revision$