From: eldy <>
Date: Sat, 9 Mar 2002 17:43:30 +0000 (+0000)
Subject: New options: SaveDatabaseFilesWithPermissionsForEveryone
X-Git-Tag: AWSTATS_4_0_BETA~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c09888593038326a4224cce07ecae285c8dd89e;p=thirdparty%2FAWStats.git
New options: SaveDatabaseFilesWithPermissionsForEveryone
---
diff --git a/docs/awstats_config.html b/docs/awstats_config.html
index 67b0f12e..54706390 100644
--- a/docs/awstats_config.html
+++ b/docs/awstats_config.html
@@ -60,6 +60,7 @@ it with its value when reading it), follow the example:
OPTIONAL SETUP SECTION (Not required but increase AWStats features)
- CreateDirDataIfNotExists
+
- SaveDatabaseFilesWithPermissionsForEveryone
- PurgeLogFile
- ArchiveLogRecords
- KeepBackupOfHistoricFiles
@@ -312,6 +313,7 @@ it with its value when reading it), follow the example:
+CreateDirDataIfNotExists
# If the "DirData" directory (see above) does not exists, AWStats return an
# error. However, you can ask AWStats to create it. This option can be used by
# some Web Hosting Providers that has defined a dynamic value for DirData (for
@@ -323,6 +325,21 @@ it with its value when reading it), follow the example:
+SaveDatabaseFilesWithPermissionsForEveryone
+
# In most case, AWStats is used as a cgi program. So AWStats process is runned
+
# by default web server user (nobody for Unix, IUSR_xxx for IIS/Windows,...).
+
# To avoid permission problems between update process often runned by an admin
+
# user (root for Unix, Administrator for Windows,...), AWStats save its
+
# database files by default with read and write for everyone. You can set this
+
# parameter to 0, if you want AWStats to keep user process default permission.
+
# Possible values: 1 or 0
+
# Default: 1
+
#
+
SaveDatabaseFilesWithPermissionsForEveryone=1
+
+
+
+PurgeLogFile
# AWStats can purge log after processing it. By this way, the next time you
# launch AWStats, log file will be smaller and processing time will be better.
# IMPORTANT !!!
@@ -340,6 +357,7 @@ it with its value when reading it), follow the example:
+ArchiveLogRecords
# When PurgeLogFile is setup to 1, AWStats will clean your log file after
# processing it. You can however keep an archive file (saved in "DirData") of
# all processed log records by setting this to 1 (For example if you want to
@@ -352,6 +370,7 @@ it with its value when reading it), follow the example:
+KeepBackupOfHistoricFiles
# Each time you run the update process, AWStats overwrite the 'historic file'
# for the month (awstatsMMYYYY[.*].txt) with the updated one.
# When write errors occurs (IO, disk full,...), this historic file can be
@@ -366,6 +385,7 @@ it with its value when reading it), follow the example:
+Lang
# Set your primary language.
# Possible value:
# Bosnian=ba, Chinese (Taiwan)=tw, Chinese (Traditional)=cn, Czech=cz,
@@ -380,6 +400,7 @@ it with its value when reading it), follow the example:
+DirLang
# Set the location of language files.
# Example: "/opt/awstats/lang"
# Default: "./lang" (means lang directory is in same location than awstats.pl)
@@ -388,6 +409,7 @@ it with its value when reading it), follow the example:
+DefaultFile
# Index page name for your web server.
# Example: "default.htm"
# Default: "index.html"
diff --git a/docs/awstats_security.html b/docs/awstats_security.html
index 209e89e3..048f067d 100644
--- a/docs/awstats_security.html
+++ b/docs/awstats_security.html
@@ -32,38 +32,81 @@
Little tips about Security
+
A lot of AWStats users have several web site to manage. This is particularly true for web hosting providers.
The most common things you would like to do is to prevent user xxx (having a site www.xxx.com) to see
statistics of user yyy (having a site www.yyy.com).
-
+
This is example of possible way of working:
-1) HIGHLY SECURED
-Policy:
+1) VERY HIGHLY SECURED
+Policy:
+You have several different config/domains owned by different users and you want to build statistics for each
+of them. You don't need that your customer have "real-time" statistics.
+This is a very good choice for web hosting providers with few but very large web sites of important customers.
+Advantage:
+Very highly secured.
+Disavdantage:
+Statistics are static, no dynamic update/view.
+How:
All statistics pages for a config/domain file are built in static html files using -output -staticlinks option.
There is no CGI use of AWStats and static built pages are stored in a web protected realm to
be securely viewed by correct allowed users only (or sent by mails).
-+: Highly secured.
--: Statistics are static, No way to have dynamic update/view.
-Note: With this policy, AWStats database files can have their own permissions.
-So, set all AWStats database files built by the update process for config/domain1 to have read/write for user1
-(or an admin user) and NO read and/or NO write for any other users.
+If users have a command line access (telnet) on statistics server, you must set correct permissions on AWStats
+database files. Set all AWStats database files (built by the update process) for config/domain1 to have read/write
+for user1 (or an admin user) and NO read and NO write permissions for any other users.
+Then, check that the SaveDatabaseFilesWithPermissionsForEveryone is set 0 in your config/domain files.
If AWStats database files for config/domain1 are read protected, only allowed users can see statistics for config/domain1.
If AWStats database files for config/domain1 are write protected, only allowed users can update statistics for config/domain1.
-This is a very good choice for web hosting providers with important customers.
-2) MEDIUM SECURED
-Policy: Statistics pages for a config/domain file can be read dynamically from a browser (with AWStats working as a CGI).
-Use of awstatsusers file to list config/domain a particular user can see/update.
-awstats.pl file must be saved in a web protected realm to allow awstats to get the username when running as CGI.
-+: Statistics are dynamic.
--: AWStats database files must be readable by anonymous web server user, so if an experimented user can have an access to
-the server (telnet, ftp), he will be able to install and run a hacked version of AWStats that does not check permissions into the awstatsusers.
-Note: With this policy, you must first create a text file called awstatsusers. This file is a text file
-with several records that contains two fields separated by a ";".
-First field is the user name allowed to read statistics from a browser.
+
+2) HIGHLY SECURED
+Policy:
+You have several different domains owned by different users and you want each owner of a domain
+to be able to see only his/her domain and to be able to update his/her statistics dynamically.
+This might be a good choice for web hosting providers with several small private or public customers.
+Advantage:
+Statistics view is dynamic. A site owner can view its statistics dynamically. Update can also
+be made (if allowed) on-line.
+Disadvantage:
+No way to have 2 configurations files for 1 particular domain.
+How:
+First, AWStats must be placed in its own cgi-bin-awstats directory with no way for users to
+put in it a hacked verion of AWStats (a not writeable directory).
+Then, you must add an environment variable called AWSTATS_CONFIG in the web server environment
+for each domain to say wich config file to use for a particular domain.
+With Apache web server, you must use the 'SetEnv' directive. This is an example:
+<VirtualHost www.xxx.yyy.zzz>
+ ServerAdmin webmaster@mydomain.com
+ ServerName mydomain.com
+ ScriptAlias /cgi-bin-awstats/
+ DocumentRoot /usr/local/apache/html
+ SetEnv AWSTATS_CONFIG myconfigvalueformydomain
+</VirtualHost>
+
+When using AWStats as a CGI with the following URL 'http://mydomain.com/cgi-bin-awstats/awstats.pl', AWStats
+will use the config file called awstats.myconfigvalueformydomain.conf to choose which statistics used,
+even if a visitor try to force the config file with the URL 'http://mydomain.com/cgi-bin-awstats/awstats.pl?config=xxx'.
+
+
+3) MEDIUM SECURED
+!!! This policy is not possible yet as the use of file awstatsusers is not yet developped. !!!
+Policy:
+You have several config/domain and several users. You want to specify (using a awstatsusers file) wich user can see
+or update dinamically statistics for each config/domain.
+Advantage:
+Statistics are dynamic. High level of manageability.
+Disadvantage:
+AWStats database files must be readable by anonymous web server user, so if an experimented user can have an access to
+the server where AWStats database files are stored, he will be able to install and run a hacked version
+of AWStats that does not check permissions into the awstatsusers file and see/update from other config files.
+How:
+awstats.pl file must be saved in a web protected realm to allow awstats to get the username from
+when running as CGI.
+Then you must create the text file awstatsusers. This file is a text file with several records that contains
+two fields separated by a ";". First field is the user name allowed to read statistics from a browser.
Second field is a list (separated by comma ",") of all visible config/domain allowed for this user.
-Example of awstatsusers file:
+Example of awstatsusers file:
user1;*
user2;www.domain2.com
user3;www.domain3a.com,www.domain3b.com
@@ -77,22 +120,21 @@ AuthType Basic
require valid-user
</Files>
-
-Save the awstatsusers file in the DirData directory (directory where AWStats save its database) and put on this file "read only"
+And save the awstatsusers file in the DirData directory (directory where AWStats save its database) and put on this file "read only"
permissions for everyone.
-3) LOW SECURED
-Policy: Same as 2 with no use of awstatsusers.
-+: Setup is very easy (No need of particular setup). Statistics are dynamic.
--: No way to prevent stats for config/domain to be seen by a user that known the
+4) LOW SECURED
+Policy:
+Same as 3 with no use of awstatsusers.
+This is the most common way of working for all users that have only one hosts
+and don't want to have restricted accounts to manage.
+Advantage:
+Setup is very easy (No need of particular setup). Statistics are dynamic.
+Disadvantage:
+No way to prevent stats for config/domain to be seen by a user that known the
config/domain name and the url syntax to see stats of a particular config/domain.
-Note: This is the most common way of working for all users that have only one hosts
-and no restricted accounts to manage.
-
-
-
-
-
+How:
+No particular things to do.
diff --git a/wwwroot/cgi-bin/awstats.model.conf b/wwwroot/cgi-bin/awstats.model.conf
index d6a7f99d..ac6e3b35 100644
--- a/wwwroot/cgi-bin/awstats.model.conf
+++ b/wwwroot/cgi-bin/awstats.model.conf
@@ -175,7 +175,7 @@ CreateDirDataIfNotExists=0
# To avoid permission problems between update process often runned by an admin
# user (root for Unix, Administrator for Windows,...), AWStats save its
# database files by default with read and write for everyone. You can set this
-# parameter to 0, if you want AWStats to keep user permissions only.
+# parameter to 0, if you want AWStats to keep default process user permission.
# Possible values: 1 or 0
# Default: 1
#
diff --git a/wwwroot/cgi-bin/awstats.pl b/wwwroot/cgi-bin/awstats.pl
index ee9c2b7d..ba932872 100644
--- a/wwwroot/cgi-bin/awstats.pl
+++ b/wwwroot/cgi-bin/awstats.pl
@@ -21,7 +21,7 @@ use vars qw(%DomainsHashIDLib @RobotsSearchIDOrder_list1 @RobotsSearchIDOrder_li
#-------------------------------------------------------
# Defines
#-------------------------------------------------------
-my $VERSION="4.0 (build 43)";
+my $VERSION="4.0 (build 44)";
# ---------- Init variables -------
my $Debug=0;
@@ -502,6 +502,7 @@ sub Read_Config_File {
}
# Read optional section
if ($param =~ /^CreateDirDataIfNotExists/) { $CreateDirDataIfNotExists=$value; next; }
+ if ($param =~ /^SaveDatabaseFilesWithPermissionsForEveryone/) { $SaveDatabaseFilesWithPermissionsForEveryone=$value; next; }
if ($param =~ /^PurgeLogFile/) { $PurgeLogFile=$value; next; }
if ($param =~ /^ArchiveLogRecords/) { $ArchiveLogRecords=$value; next; }
if ($param =~ /^KeepBackupOfHistoricFiles/) { $KeepBackupOfHistoricFiles=$value; next; }
@@ -793,6 +794,7 @@ sub Check_Config {
if ($AllowToUpdateStatsFromBrowser !~ /[0-1]/) { $AllowToUpdateStatsFromBrowser=0; }
# Optional section
if ($CreateDirDataIfNotExists !~ /[0-1]/) { $CreateDirDataIfNotExists=0; }
+ if ($SaveDatabaseFilesWithPermissionsForEveryone !~ /[0-1]/) { $SaveDatabaseFilesWithPermissionsForEveryone=1; }
if ($PurgeLogFile !~ /[0-1]/) { $PurgeLogFile=0; }
if ($ArchiveLogRecords !~ /[0-1]/) { $ArchiveLogRecords=1; }
if ($KeepBackupOfHistoricFiles !~ /[0-1]/) { $KeepBackupOfHistoricFiles=0; }