Use of the Access Control Editor
Several directories and domains, such as /status /debug and /admin must be protected, or the installation will not be secure from remote attack. As distributed, Tclhttpd defaults to safe but restrictive permissions.
Opening access to these sensitive facilities on a new installation requires that the admin create system-wide user and group files, and .htaccess files in the various directories which need to be protected.
The Access Control Editor maintains:
The per-directory control file, as detailed here
consisting of lines formatted as: group_name: member, member ...
consisting of lines formatted as user_name: password
As it is necessary to have an administrative password before safely administering access control, some bootstrapping is required.
To begin to administer access control through the editor one may log in as the user webmaster with the password in /tmp/tclhttpd.default.
The first thing one should do is decide where the installation's user and group files will reside and create a password for webmaster.
Note: It is crucial that the user file not be visible from the web - it must not reside under the document root!
Once the user and group files are created and populated with values, you can secure the Access Control Editor by editing the directory htaccess.
Having secured /htaccess, one can freely use it to secure any directory or domain.
Several configuration options in tclhttpd.rc control how authentication occurs:
If this is undefined, a new random password is created in /tmp/tclhttpd.default every time the server is restarted. If it is defined, it is the plaintext default password for a user called webmaster, who has (by default) complete access to the Access Control Editor.
After boostrapping, it would be advisable to set this value to ""
The default name of the file containing web user passwords (note, this should be different from your system's default password file, if any)
The default name of a file containing web groups.
|Home||Status||Learn||CGI Tests||Templates||Access Control||Reference Manual|