I have tested a new web-server config file (by using its alter-ego as a config file for apache-ssl on pp3).
The web server configuration file enclosed is in line with the following configuration framework. Note that there is no significant change from the earlier configuration in (a), (b) and (c) except for (). The idea of () and (d) is to transfer more control over the web-server from super-user to the "web" user. This should entirely eliminate the need to log in as "root" on pp3 except for (a) and that should happen extremely rarely.
-
The super-user (on pp3) is responsible for starting and stopping the web server file. The super-user also manages the web configuration files. The upgrades of apache are also handled by the super-user.
-
The entire set of files that are exported as well as the cgi-bin and other supplementary files are under the control of user "web". In particular,
DocumentRoot -> /home/www-data/web /icons -> /home/www-data/web/icons /Includes -> /home/www-data/web/Includes /images -> /home/www-data/web/images /cgi-bin -> /home/www-data/web/cgi-bin (*)The "web" user can use symbolic links to point to any file or executable on "pp3" --- be careful. These directories can be edited on "pp3" as user web or from the cross-mounting as below. Server side includes are allowed with the "exec" construct.
-
Individual users have their home_page directories cross-mounted on all the IMSc hosts (banyan, willow, imsc4, hsparc4, etc.). They can manage these directories and restrict access based on .htaccess files as well.
/~user -> /home/www-data/user mounted as /net/www-data/user
Symbolic links are permitted to a limited extent (e.g. within these subdirectories). These URL's are only allowed to execute cgi-bin's in the above cgi-bin subdirectories (except for (d) below) (even in SSI's).
-
Some users may be permitted by the "web" user to have "their own" cgi-bin's as follows. A link can be created in /home/www-data/web/cgi-bin (by user "web")
cd /home/www-data/web/cgi-bin # ( which is /net/www-data/web/cgi-bin )
ln -s /home/www-data/user/cgi-bin user_cgi_bin
(Other names are possible in place of
/home1/www-data/user/cgi-bin).The user can then create any cgi-bin in
/home/www-data/user/cgi-bin ( = /net/www-data/user/cgi-bin)
These can be referred to via the URL's "href=/cgi-bin/user_cgi_bin/execname" to execute them.
Obviously, the "web" user should exercise some control over these new cgi-bin directories. In particular, note the "arbitrary symbolic-links following". You have been warned! A simple setup is to allow some user "temporary" use of such a facility. If this executable has long term use, then it should be copied and owned by the "web" user to exercise more control.
Please tell me if you see some problem in the new configuration file. I will install it tomorrow.