3.4 Operation by general user
This section describes the differences between the superuser and general users, and methods to create an environment for general users to operate Web server.
Overview
For Web server, normal operation is assumed to be operation by the superuser.
When Web server is installed, various settings are configured for operation by the superuser.
Thus, when users other than the superuser (hereafter referred to as general users) operate Web server, they need to change the settings file for Web server and settings in related directories and files. For some functionality in Web server, some operations are restricted from general users.
This section describes the differences between the superuser and general users, and methods to create an environment for general users to operate Web server.
Permissions for each process
The following table lists the permissions of each process for operation by the superuser or general users.
|
No. |
Process |
Operation by the superuser |
Operation by general users |
|---|---|---|---|
|
1 |
Control process |
Superuser |
General user |
|
2 |
rotatelogs and rotatelogs2 processes |
||
|
3 |
Server process |
Users or groups specified in the User and Group directives |
|
|
4 |
CGI process |
||
|
5 |
gcache server |
Differences between the superuser and general users in UNIX
In UNIX, unlike general users, the superuser has system administrator permissions. The following table lists examples of the differences between the superuser and general users in UNIX.
|
No. |
Item |
Superuser |
General user |
|---|---|---|---|
|
1 |
Can stop processes that were started by users? |
Yes |
No |
|
2 |
Can open well-known ports (ports 1023 and lower)? |
Yes |
No |
|
3 |
Can access files that do not explicitly have read or write permissions? |
Yes |
No |
If a general user operates Web server, because the control process in Web server operates with general user permission, the behavior in this case might differ from operation by the superuser. Therefore, if a general user operates Web server, the user needs to create an environment while considering the differences with the superuser.
Changing resource owners and groups
In UNIX, you can change resource owners and groups for content and settings files for Web server, and for files and directories accessed by Web server during operation.
At the minimum, you will need to change the resources under the installation directory (Application Server installation directory/httpsd).
If you want to restore resource owners and groups to the previous settings, save the owners and groups for the current resources before making changes.
The superuser can save owners and groups. The following is an example of how to do this.
Example:
For the resources under the /opt/hitachi/APServer/httpsd directory, create a list of owners and groups.
ls laR /opt/hitachi/APServer/httpsd
The superuser can change owners and groups. The following is an example of how to do this.
Example:
For the resources under the /opt/hitachi/APServer/httpsd directory, change the owner (hwsuser) and the group (hwsgroup).
chown R hwsuser:hwsgroup /opt/hitachi/APServer/httpsd
Restrictions
The commands below cannot be operated by general users. Operate these commands as the superuser.
-
hwscertutil
-
htpasswd
-
hwskeygen
-
logresolve
-
sslpasswd
In operation by general users, the following directives cannot be specified. Any directive specified by general users is ignored.
-
Group
-
User
In operation by general users, well-known ports (ports 1023 and lower) cannot be opened. Be careful when specifying the port number in the following directives:
-
Listen
-
SSLCacheServerPort