[docs] xmldocs - docelic modified 6 files

docs at icdevgroup.org docs at icdevgroup.org
Mon Dec 6 08:55:15 EST 2004


User:      docelic
Date:      2004-12-06 13:55:15 GMT
Modified:  bin      refs-autogen
Added:     refs     IpHead IpQuad LockType LockoutCommand NoAbsolute
Log:
More new items.

Tuned bin/refs-autogen to generate one common file for both
config and global directives. Later we'll just visually add an indicator
what "subtype" of the directive it is.

Revision  Changes    Path
1.72      +9 -1      xmldocs/bin/refs-autogen


rev 1.72, prev_rev 1.71
Index: refs-autogen
===================================================================
RCS file: /var/cvs/xmldocs/bin/refs-autogen,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- refs-autogen	4 Dec 2004 22:47:23 -0000	1.71
+++ refs-autogen	6 Dec 2004 13:55:15 -0000	1.72
@@ -79,8 +79,9 @@
 	globconf => "Global Configuration Directive",
 	catconf => "Catalog Configuration Directive",
 	filter => "Filter",
-	# Summarized:
+	# Summarized / compounds:
 	tag => "Tag",
+	conf => "Configuration directive",
 );
 
 my %tagname = (
@@ -95,6 +96,7 @@
 	filter => "filter",
 	# Summarized:
 	tag => "tag",
+	conf => "option",
 );
 
 # Default fields
@@ -152,6 +154,7 @@
 			my $pref = "";
 			if ( $compounds ) {
 				$gkey =~ /tag$/ and $name = 'tag';
+				$gkey =~ /conf$/ and $name = 'conf';
 				$pref = "${gkey}s -> ";
 			}
 
@@ -555,7 +558,12 @@
 		%{ $symbols{usertag} },
 		%{ $symbols{uitag} },
 	};
+	$symbols{conf} = {
+		%{ $symbols{globconf} },
+		%{ $symbols{catconf} },
+	};
 	delete @symbols{qw/systemtag usertag uitag/};
+	delete @symbols{qw/globconf catconf/};
 }
 
 



1.1                  xmldocs/refs/IpHead


rev 1.1, prev_rev 1.0
Index: IpHead
===================================================================
__NAME__ purpose
use only part of the IP to qualify user sessions?
__END__


__NAME__ see also
DomainTail,IpHead,IpQuad,WideOpen,
__END__


__NAME__ synopsis
<group choice='req'>
	<arg choice='plain'>No</arg>
	<arg choice='plain'>Yes</arg>
</group>
__END__


__NAME__ description
The directive affects the domain/IP session qualifying method. When enabled,
only the first &conf-IpQuad; dot-quads of the IP address are used to qualify
the user session (along with, of course, the session ID).
</para><para>
This is a slight compromise on security, but it allows
non-cookie-accepting browsers, like AOL's V2.0, to use multiple proxy
servers.
__END__

__NAME__ notes
&conf-DomainTail; is preferable unless one of your HTTP servers does not do
host name lookups.
__END__

__NAME__ example
<example>
  <title>Enabling IpHead directive</title>
	<para>
	Put the following in &gcf;:
	</para>
<programlisting>
DomainTail No
IpHead     Yes
</programlisting>
</example>
__END__




1.1                  xmldocs/refs/IpQuad


rev 1.1, prev_rev 1.0
Index: IpQuad
===================================================================
__NAME__ purpose
specify number of dot-quads to honor when IpHead is enabled
__END__


__NAME__ see also
DomainTail,IpHead,WideOpen
__END__


__NAME__ synopsis
<group choice='req'>
	<arg choice='plain'><replaceable>number</replaceable></arg>
</group>
__END__


__NAME__ description
The directive simply specifies the number of <emphasis>dot-quads</emphasis>
the session qualifier will look at, if &conf-IpHead; is enabled.
</para><para>
In other words, with an IPV4 address (32 bit address, consisting of 
four dot-quads) of value
<systemitem class='ipadress'>127.0.0.1</systemitem> and &conf-IpQuad; of 
<literal>2</literal>, 
<systemitem class='ipadress'><emphasis role='bold'>127.0.</emphasis></systemitem>
would be enough to qualify the user session.
__END__

__NAME__ notes
&conf-DomainTail; is preferable unless one of your HTTP servers does not do
host name lookups.
__END__

__NAME__ example
<example>
  <title>Enabling IpHead directive</title>
	<para>
	Put the following in &gcf;:
	</para>
<programlisting>
DomainTail No
IpHead     Yes
</programlisting>
</example>
__END__




1.1                  xmldocs/refs/LockType


rev 1.1, prev_rev 1.0
Index: LockType
===================================================================
__NAME__ purpose
specify file locking method to use
__END__


__NAME__ synopsis
<group choice='req'>
	<arg choice='plain'>flock</arg>
	<arg choice='plain'>fcntl</arg>
	<arg choice='plain'>none</arg>
</group>
__END__


__NAME__ description
The directive specifies the file locking method to use. 
<literal>flock</literal> is the default and works well with standard
setups.
</para><para>
<literal>fcntl</literal> is used with &NFS;. In case of NFS, both
the NFS client and server need to run the lock daemon
(<command>lockd</command>).
</para><para>
<literal>none</literal> can be used to turn off locking completely. This
is never recommended, unless you only want to see if the locking 
is causing system hangs.
__END__

__NAME__ notes
Although this directive was added in &IC; 4.7, due to an error later
discovered, the directive started working properly with the release
of &IC; 4.8.6.
</para><para>
If you are only accessing sessions on an NFS-mounted directory, but the rest
of Interchange is on the local filesystem, you can set the &conf-SessionType;
directive to <literal>NFS</literal> instead. That would enable
<literal>fcntl</literal> locking for sessions on a per-catalog basis only.
__END__

__NAME__ example
<example>
  <title>Setting LockType</title>
	<para>
	Put the following in &gcf;:
	</para>
<programlisting>
LockType fcntl
</programlisting>
</example>
__END__




1.1                  xmldocs/refs/LockoutCommand


rev 1.1, prev_rev 1.0
Index: LockoutCommand
===================================================================
__NAME__ purpose
specify command to run in order to lock a client out of the site
__END__


__NAME__ see also
DomainTail, CreditCardAuto, CyberCash
__END__


__NAME__ synopsis
<group choice='req'>
	<arg choice='plain'><replaceable>command</replaceable></arg>
</group>
__END__


__NAME__ description
The directive specifies the command (as it would be entered from the shell)
that will somehow prevent the remote IP from accessing the &IC; catalog, or
the whole system.
</para><para>
The IP address will be substituted for the first occurrence of the string
<literal>%s</literal> (which might remind you of <function>printf</function>
format specifiers). The command will be executed under the &IC; user ID,
so you'll have to fine-tune the system privileges, or use 
<command>sudo</command>-like tools.
__END__

__NAME__ notes
A script could be written which would modify the appropriate access control
files, such as <filename>.htaccess</filename> (Web server-level)
or <filename>/etc/hosts.deny</filename> (TCP Wrappers-level), to do another
level of lockout.
</para><para>
Even a simple command line along the lines of
<userinput>perl -0777 -npi -e 's/deny/deny from %s\ndeny/'
/path/to/cgi-bin/.htaccess</userinput>
would work as well.
__END__


__NAME__ example
<example>
  <title>Preventing access to the system with ipfwadm</title>
	<para>
	Put the following in &gcf;:
	</para>
<programlisting>
LockoutCommand ipfwadm -I -i deny -S %s
</programlisting>
	<para>
	Note that the <command>ipfwadm</command> filtering system was used in Linux
	2.0.* kernels, and is now largely obsolete.
	</para>
</example>
__END__

__NAME__ missing
Give lockout examples for ipchains, iptables and ipfw
Write a script that does what we suggest in Notes section
__END__




1.1                  xmldocs/refs/NoAbsolute


rev 1.1, prev_rev 1.0
Index: NoAbsolute
===================================================================
__NAME__ purpose
disable catalogs to read absolute filenames on the system
__END__


__NAME__ synopsis
<group choice='req'>
	<arg choice='plain'>No</arg>
	<arg choice='plain'>Yes</arg>
</group>
__END__


__NAME__ description
The directive specifies whether to prevent commands and tags (such as 
&tag-file;) to read absolute filenames (any files) on the system.
In cases where the &IC; daemon has no permission to read the file , this
directive &mdash; of course &mdash; has no influence.
</para><para>
This should be enabled in multiuser environments to minimize security
problems.
__END__

__NAME__ notes
Note that this does not apply to tests for whether a file exists (as one
would do with <code>[if file ...]</code> or similar). Such operations are
allowed regardless of &conf-NoAbsolute;.
__END__


__NAME__ example
<example>
  <title>Enabling NoAbsolute</title>
	<para>
	Put the following in &gcf;:
	</para>
<programlisting>
NoAbsolute Yes
</programlisting>
</example>
__END__









More information about the docs mailing list