Very Computer

I followed the Apache Week article "Publishing Pages with PUT", and all
ran fine right out of the box. When I went to add a little security to
this, I lost my PUT. I now get the following error:

        Error Publishing File
        An error occurred publishing this file
        (Cannot write to /users/elf/public_html/COPYRIGHT.html).

The changes I made were all to the access.conf file:

        # make the PUT script available only to group putusers
        <Location /cgi-bin/putscript*>
        AuthType Basic
        AuthName Authorised PUT Publishers
        AuthGroupFile /opt/apache/.putusers
        AuthUserFile /opt/apache/.putpasswords
        require group putusers
        </Location>

        <Directory /users>
        Options Indexes IncludesNoExec FollowSymLinks MultiViews
        AllowOverride FileInfo AuthConfig Limit
        order allow,deny
        allow from all

        # limit PUT
        AuthType Basic
        AuthName Authorised PUT Publishers
        AuthGroupFile /opt/apache/.putusers
        AuthUserFile /opt/apache/.putpasswords
        Script PUT /cgi-bin/putscript
        <Limit PUT>
        require group putusers
        </Limit>
        </Directory>

The /opt/apache/.putusers file contains
        putusers: lawson elf

The /opt/apache/.putpasswords file contains:
        lawson:not_my_real_encrypted_password
        elf:not_my_real_encrypted_password

Both these files are readable by all. The ~elf/public_html directory
is writable by elf only (755 elf:users). I don't think I made the
stupid mistake....

I'm not trying to have the tightest security possible, but I'd like to
have a easily implemented amount. I was guessing on the <Location> stuff.
Was this the way to go? Where did I mess up.

Thanks, I'm just a parent volunteer at my kids school trying to make
web publishing easier for them. I'm new to httpd stuff, but learning quick!

Any help will be greatly appreciated by 300 kids.

--------

Quote:>Both these files are readable by all. The ~elf/public_html directory
>is writable by elf only (755 elf:users). I don't think I made the
>stupid mistake....

You might also want to look at using suEXEC to change who the
CGI program runs as.

Paul
--
Paul Sutton
Apache Week ..... latest Apache news ..... http://www.apacheweek.com/

   ace:~/apache# /opt/apache/start-httpd
   Starting httpd...
   Configuring Apache for use with suexec wrapper.

Now, I think I want to try the ~ID option:

   suEXEC can also be used to to execute CGI programs as the user to
   which the request is being directed.  This is accomplished by using
   the ~ character prefixing the user ID for whom execution is desired.
   The only requirement needed for this feature to work is for CGI
   execution to be enabled for the user and that the script must meet the
   scrutiny of the security checks above.

I assume that in Netscape composer that I use ~elf (rather than the real
login of elf) in the "Publish Files" dialog. I've tried both (elf & ~elf),
 and get the message

       hplabs.hpl.hp.com elf /users/elf/public_html/COPYRIGHT1.html
       status 500 (Cannot write to /users/elf/public_html/COPYRIGHT1.html)

in the /tmp/put1.log

If I open up ~elf/public_html to be writable by all, I can PUT fine.
I don't see any entries in my cgi.log file either. I am seeing some entries
from a cgi script in a user'a area:

    [17:10:03 13-02-98]: uid: (akosut/akosut) gid: (admin/admin) email.cgi
    [17:14:28 13-02-98]: uid: (akosut/akosut) gid: (admin/admin) list.cgi
    [17:14:28 13-02-98]: command not in docroot
                         (/users/akosut/startrek/l/list.cgi)

Which I don't have a clue about (other than Alexei is on the Apache team &
graduated from Nueva School.... is this relevant?)

So, I think I have all but the suexec working. It must be progress :-)

Thanks

-------
Lawson Fisher