![[ Previous ]](navbprev.gif)
![[ Contents ]](navbhome.gif)
![[ Index ]](navbhelp.gif)
![[ Next ]](navbnext.gif)
|
|
|
Take the actions described in this section to ensure the security of systems running AOLserver.
The default Setup Server has either no nsadmin password or a poor nsadmin password. You must set an acceptable password for the Setup Server nsadmin account as described below.
In the nsd.ini configuration file, a Password line should appear in the [ns/setup] section as shown below:
[ns/setup]Password=XXXXXXXXXXXXX
The XXXXXXXXXXXXX value is the hashed password string. It should be 13 characters long.
If this line is missing, or if there is a blank password value, no password is set for the Setup Server nsadmin account. Set a password by either manually entering a hashed password into the nsd.ini file, or by accessing the following URL on your web server:
http://server-name.com:XXXX/NS/Setup/SetupVS
XXXX is the port your Setup Server is running on.
The Setup Server does not exist. No action is necessary.
AOLserver can be set to run as root. Disable this capability as described below.
If the AllowRoot parameter entry exists in your nsd.ini configuration file, either remove it or set it explicitly to Off as shown below:
[ns/parameters]AllowRoot=Off
By default, AOLserver does not enable the AllowRoot parameter.
Versions 3.0 or higher:AOLserver cannot be set to run as root. No action is necessary.
By default, the nsadmin password for AOLserver is either set to NULL or to a poor password. Set an acceptable password for nsadmin as described below.
Versions prior to 3.0:You can set the nsadmin passwords for virtual servers at this URL:
http://virtual-server.com/NS/PermAdmin
Edit the nsadmin account and add an acceptable password. Set a password for each virtual server running.
Versions 3.0 or higher:Edit the nsadmin entry in the /modules/nsperm/passwd file. For example, the default passwd file contains this nsadmin entry:
nsadmin:CUdnvgBYocLSI:::::
Substitute an alternate encrypted password in place of CUdnvgBYocLSI.
To encrypt a password, you can copy an already-encrypted password from the /etc/passwd file or run the bin/nspasswd utility. It will prompt you for a password and return the encrypted version of the password.
For more information about the passwd file, see the "Defining Users" section.
It is more secure to avoid using the nsperm module and use file-level security for ADPs. If you must use the nsperm module, set appropriate permissions records as follows:
Visit this URL to change the permissions for each virtual server:
http://virtual-server.com/NS/PermAdmin
To define AOLserver permissions, create permission entries for them in the perms file, which resides in the /modules/nsperm directory. The default perms file does not contain any permission entries, but it contains comments that explain how to add entries to the file.
For more information about setting permissions, see the "Permissions" section.
The Tcl evaluation feature, accessed by the /NS/EvalTcl URL, allows an administrator to execute Tcl commands remotely on AOLserver. Disable the /NS/EvalTcl capability from AOLserver versions 2.2.1 and higher as described below.
Versions prior to 3.0:In the server-home/modules/tcl/gettcl.tcl file, remove the following two lines:
ns_register_proc GET /NS/EvalTcl _ns_dyntcl_evalns_register_proc POST /NS/EvalTcl1 _ns_dyntcl_eval
Additionally, you may want to remove the following line from the same file, which will prevent the Tcl evaluation link from appearing when you access /NS/Admin:
<LI>Ad Hoc Evaluation
Search the rest of the gettcl.tcl file for any other instances of _ns_dyntcl_eval and remove them as well.
With AOLserver version 2.3, you can also disable the Tcl Evaluation ability by setting the EnableAdmin parameter to Off in the nsd.ini configuration file:
[ns/server/your-virtual-server/tcl]EnableAdmin=Off
However, the safest method in all situations is to remove the ns_register_proc entries in the gettcl.tcl file as described above.
The /NS/EvalTcl feature does not exist. No action is necessary.
|
