Table of Contents

1 Security Services

Users...

1.1 User Status and Configuration

Groups...

1.2 Peruse Groups

1.3 Group Status and Configuration

1.4 Create a Group    (account administrators only)

2 File and Directory Services

2.1 Control Access to Files and Directories

2.2 Mount a Directory as a Windows Share

2.3 Transfer Files and Directories through FTP

3 Web Publishing Services

3.1 Publish Web Pages

3.2 Check Web Page Links

3.3 Develop Common Gateway Interfaces (CGIs)

3.4 Escrow your Password for CGI Authentication

1 Security Services

Users...

1.1 User Status and Configuration

username:	(if you know the username, enter it alone)
broncoid:	(if you know the identification number, enter it; if not, enter as many parts of the name as you know)
last name:
first name:
middle initial:

Any account administrator (in the group acct-admin) can check the status of an account or change its expiration status. After a user is identified, the following form is displayed:

username:	username
user title:	First M. Last
identification number:	n/a
groups:	csupomona	Cal Poly Pomona Intranet Users
expiration status:	never expires
expire:	never
	now
	in 1 month 3 months 6 months
	on Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 1999 2000 2001

1. Information about the user's network identity is reported from the Security Registry:

   • username
     
   • user title
     
   • identification number
     

2. The groups in which the user is a member are reported.

3. The expiration status is reported and is "never expires" or "will expire on date" or "expired on date".

To unexpire an account, check the radio button labeled "never". To expire an account, check a radio button next to the selected date. Click on the "Change Expiration" button to change the expiration.

During the fourth week of every academic quarter, all unexpired unauthorized accounts (not in at least one of the automatically-populated groups students, faculty, staff, instructors, foundation, or emeritus) are set to expire on the Wednesday following final exam week of the quarter, and all accounts expired for more than two quarters are deleted.

---

Groups...

1.2 Peruse Groups

Users can list all groups. Groups whose visibility is members only are listed only if the user is a member of the group.

---

1.3 Group Status and Configuration

groupname:

---

1.4 Create a Group

groupname:
group title:

An Intranet group is a collection of users. Groups can be created for the purpose of having group mailing lists, group directories, and/or group access privileges. There are two kinds of groups, manually-populated and automatically-populated. The membership of a manually-populated group is maintained manually by one or more group administrators. The membership of an automatically-populated group is maintained automatically according to information in the University database. Any account administrator (in the group group-admin) can create a manually-populated group.

When a manually-populated group is created:

1. Information about the group is stored in the Security Registry:

   • groupname
     The groupname is selected in the group creation form. The groupname must consist of between 2 and 50 lowercase letters, digits, underscores and/or dashes, begin with a lowercase letter, and be distinct from all Intranet usernames and mail aliases. For example, the groupname for the group of all Cal Poly Pomona Intranet users is csupomona. The groupname can be changed by an account administrator.

   • group title
     The group title is selected in the group creation form. The group title must consist of at most 50 letters, digits, underscores, and/or spaces. For example, the title of the group csupomona is Cal Poly Pomona Intranet Users.

   • members
     The list of initial members is selected in the group creation form. The membership of a manually-populated group can be updated by a group administrator.

2. A group can optionally have group administrators, who are users with the privilege to add and remove members, and to control access to files in the group directory. Group administrators aren't members of the group by default, so they must be explicitly included among the initial members if they are to be members. The administrators of the group groupname form another group whose groupname is groupname-admin.

3. The group visibility determines who can list the members and administrators of the group. If the group visibility is:

   • all users
     Any user can list the members and administrators.

   • members only
     Any member (in the group groupname) can list the members and administrators.

4. If requested, the group directory /dfs/group/groupname is created with the directory quota selected in the group creation form. This is the directory where the files on which the group collaborates reside. The group directory can be accessed through the Web using the URL http://www.csupomona.edu/~groupname/. The group directory is essentially public and accessible by all members as described by its default access control lists (ACLs):

   default file ACL

   type	name	read	write	execute	control
   user	username
   group	groupname
   other	Internet
   group	groupname-admin

   default directory ACL

   type	name	read	write	search	control	insert	delete
   user	username
   group	groupname
   other	Internet
   group	groupname-admin

5. The group mailbox /dfs/group/groupname/.mail/mail is created in the group directory. Messages addressed to groupname@intranet.csupomona.edu are delivered and appended to the group mailbox. Users authorized to read a group mailbox can configure a group mailbox to appear among their mail folders.

6. The group mailing list is created. Group administrators can configure group mail distribution so that messages addressed to groupname@intranet.csupomona.edu are delivered and appended to each member's user mailbox.

---

2 File and Directory Services

2.1 Control Access to Files and Directories

your home directory:	~
user directory:	/dfs/user/
group directory:	/dfs/group/

Every file and directory has an access control list (ACL), which describes the access allowed by a list of users and/or groups. File and directory ACLs can be viewed and modified through the Web using an access control short form or long form, or can be modified through the Unix shell using the aclmod command. After a file or directory is identified, an access control short form is displayed. Click on the black triangular button to switch to the long form () or short form ():

Access Control Short Form

Here is an example of a short form directory ACL followed by a directory listing:

throughout directory: /dfs/user/username
type	name	read	write
other	Internet
usergroup
usergroup

	Name	Size	Last Modified
	classes	1K	Fri Mar 26 15:37:36 1999
	images	1K	Sat Jul 3 18:12:55 1999
	index.html	2K	Tue Jul 6 14:49:50 1999

Each row in the ACL describes the read and write access to the directory allowed by a user, group or others.

The owner implicitly retains full access. If users explicitly named in the ACL try to access the directory, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the directory, they have the collective access allowed by every group in which they are a member. If other users try to access the directory, they have the access allowed by anyone on the Internet.

Access to the directory can be modified by checking the desired access checkboxes and clicking on the upper "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the upper "Modify Access" button.

SECURITY WARNINGS

• Granting read access to a directory allows reading throughout the directory, i.e., to all existing and future files and subdirectories therein. Be careful not to unintentionally grant sweeping read access to private files and directories.

• Granting write access to a directory allows writing, insertion and deletion throughout the directory, i.e., to all files and subdirectores therein. Be careful not to unintentionally grant sweeping write access by untrusted users, groups or others.

Here is an example of a short form file ACL:

to file: /dfs/user/username/index.html
type	name	read	write
other	Internet
usergroup
usergroup

Each row in the ACL describes the read and write access to the file allowed by a user, group or others.

The owner implicitly retains full access. If users explicitly named in the ACL try to access the file, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the file, they have the collective access allowed by every group in which they are a member. If any other users try to access the file, they have the access allowed by anyone on the Internet.

Access to the file can be modified by checking the desired access checkboxes and clicking on the "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the "Modify Access" button.

Access Control Long Form

Here is an example of a long form directory ACL followed by a directory listing:

to directory: | to new files in directory | to new directories in directory recursively /dfs/user/username
type	name	read	write	search	control	insert	delete
owner	username
group	csupomona
other	Internet
usergroup
usergroup

to selected files and directories: recursively
		Name	Size	Last Modified
		classes	1K	Fri Mar 26 15:37:36 1999
		images	1K	Sat Jul 3 18:12:55 1999
		index.html	2K	Tue Jul 6 14:49:50 1999

Each row in the ACL describes the access to the directory allowed by a user or group. The first row shows the owner's username and access, the second row shows the primary group's groupname and access, the third row shows the access allowed by anyone on the Internet, and the subsequent rows show additional users' and groups' names and access.

If the owner or other users explicitly named in the ACL try to access the directory, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the directory, they have the collective access allowed by every group in which they are a member. If other users try to access the directory, they have the access allowed by anyone on the Internet.

• read access is needed to read the directory contents, i.e., to see the directory listing.
• write access is needed to write or modify the directory contents, i.e., to insert, delete, or rename files in the directory listing.
• search access is needed to locate a file or subdirectory in the directory. This implies that a user has no access to a file or directory unless they have search access on all of the enclosing directories.
• control access is needed to modify the ACL of the directory, i.e., to control what access is allowed by users and/or groups. Control access is always retained by the directory's owner.
• insert access is needed to insert a file or subdirectory in the directory.
• delete access is needed to delete a file or subdirectory in the directory.

Access to the directory can be modified by checking the desired access checkboxes and clicking on the upper "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the upper "Modify Access" button.

There are two ways to make sweeping changes to the ACLs of multiple files and directories at once when viewing a directory ACL.

1. If you wish to apply the access specified for the directory recursively to the directory and all files and subdirectories therein, check the "recursively" checkbox before clicking on the upper "Modify Access" button. Note that search access translates to execute access when applied to files, and insert and delete access have no relevance when applied to files.

2. If you wish to apply the access specified for the directory to selected files and subdirectories within the directory, check the checkboxes in the left margin next to the selected files and subdirectories, and click on the lower "Modify Access" button. If you wish to apply the access specified for the directory recursively to selected files and subdirectories and all files and subdirectories therein, check the "recursively" checkbox before clicking on the lower "Modify Access" button. Note that search access translates to execute access when applied to files, and insert and delete access have no relevance when applied to files.

Every directory has two additional ACLs--a default file ACL and default directory ACL--which determine ACLs on new files and directories created in the directory. The default file ACL can be viewed and modified by clicking on "new files in directory". The default directory ACL can be viewed and modified by clicking on "new directories in directory". Default file and directory ACLs can be modified and sweeping changes can be made at once as described above for file and directory ACLs. Careful attention to default file and directory ACLs insures that the file system grows with the desired access controls.

Here is an example of a long form file ACL:

to file: /dfs/user/username/index.html
type	name	read	write	execute	control
owner	username
group	csupomona
other	Internet
usergroup
usergroup

Each row in the ACL describes the access to the file allowed by a user or group. The first row shows the owner's username and access, the second row shows the primary group's groupname and access, the third row shows the access allowed by anyone on the Internet, and the subsequent rows show additional users' and groups' names and access.

If the owner or other users explicitly named in the ACL try to access the file, they have exactly the access allowed by that row of the ACL. If members of a group named in the ACL try to access the file, they have the collective access allowed by every group in which they are a member. If any other users try to access the file, they have the access allowed by anyone on the Internet.

• read access is needed to read the file contents.
• write access is needed to write or modify the file contents.
• execute access is needed to run the file if it's executable or interpret the file if it's a script.
• control access is needed to modify the ACL of the file, i.e., to control what access is allowed by users and/or groups. Control access is always retained by the file's owner.

Access to the file can be modified by checking the desired access checkboxes and clicking on the "Modify Access" button. If you wish to specify access allowed by a user or group that doesn't appear in the ACL, use one of the blank entries at the end of the ACL to choose either user or group, specify the username or groupname and select the desired access. If you wish to deny all access to a user or group that appears in the ACL, uncheck all of the access checkboxes and click on the "Modify Access" button.

---

2.2 Mount a Directory as a Windows Share

Windows 95, 98, NT and 2000 workstation users can mount directories as shares on their desktop and map network drives (E:, F:, G:,...) to directories.

Workstation Configuration

• Your workstation must be correctly configured to allow you to mount directories as shares. Achieving a robust and reliable Windows file sharing configuration seems to be as much art as science, but the facility is well worth pursuing, and I wish you the best of luck. Open the Control Panel window, double-click on the Network control panel and click on the Configuration tab.

  1. If the Client for Microsoft Networks isn't installed, add it using the Add... button.

  2. If the TCP/IP protocol isn't installed, add it using the Add... button and configure its properties.

     • Click on the IP Address properties. If you have a dial-up connection or reside in a subnet that automatically assigns IP addresses, check Obtain an IP address automatically; otherwise, check Specify an IP address and enter your given IP address (usually of the form 134.71.subnet.number) and Subnet Mask (usually 255.255.254.0).

     • Click on the Gateway properties. If you checked Specify an IP address in the IP Address properties, make sure a gateway is listed in the Installed gateways (usually of the form 134.71.subnet.2).

     • Click on the DNS Configuration properties and check Enable DNS. Make sure the domain csupomona.edu is listed in the Domain Suffix Search Order.

     • Click on the WINS Configuration properties and check Disable WINS Resolution.

     • Click on the Bindings properties, and check Client for Microsoft Networks.

Mounting Instructions

• If your Intranet account was created before July 1999 and you have not changed your password since July 1999, password verification fails. Change your password (to itself, if desired) to enable password verification using Microsoft's challenge and response method.

• Windows requests and stores your username and password when it starts, and provides the stored username and password to the file server when you mount directories on your desktop. If the username you entered wasn't your Intranet username, then you should restart Windows and enter your Intranet username. It isn't necessary to enter the password when the workstation starts; it can be provided when the file server is first used. We advise that you not save your password on your workstation.

• To map a network drive (E:, F:, G:,...) to a directory:

  1. Right-click on the icon labeled Network Neighborhood and select Map Network Drive...

  2. Enter a drive letter in the box labeled Drive:, enter one of the available shares in the box labeled Path:, and click on the button labeled OK. The available shares are:

     • \\files\username  (95 or 98)
       \\files.csupomona.edu\username  (NT or 2000)

       The drive letter is mapped to the user directory /dfs/user/username.

     • \\files\groupname  (95 or 98)
       \\files.csupomona.edu\groupname  (NT or 2000)

       The drive letter is mapped to the group directory /dfs/group/groupname.

     • \\files\winlicense  (95 or 98)
       \\files.csupomona.edu\winlicense  (NT or 2000)

       The drive letter is mapped to the Windows licensed software directory /dfs/os/windows/license.

     • \\files\winpublic  (95 or 98)
       \\files.csupomona.edu\winpublic  (NT or 2000)

       The drive letter is mapped to the Windows public software directory /dfs/os/windows/public.

• To mount a directory on the desktop of a Windows workstation:

  1. Right-click on the icon labeled Network Neighborhood and select Find Computer...

  2. Enter the computer name files in the box labeled Named: and click on the button labeled Find Now.

  3. If a computer named files is found, double-click on it. If it isn't found, then the workstation probably wasn't configured as described above.

  4. A list of shares available on files is displayed, from which you select those to be mounted. The available shares are:

     • username
       
       The user directory /dfs/user/username.

     • winlicense
       
       The Windows licensed software directory /dfs/os/windows/license.

     • winpublic
       
       The Windows public software directory /dfs/os/windows/public.

  5. If you didn't enter your password when Windows started, your password is requested.

Access to files and directories through a Windows workstation is controlled by ACLs. Read access is needed to open a file or view a directory listing; write/insert access is needed to save a file or make a directory; delete access is needed to delete a file. Remember that you can make shortcuts to mounted shares.

---

2.3 Transfer Files and Directories through FTP

Files and directories can be transferred through the File Transfer Protocol (FTP). FTP clients can connect to a directory on an FTP server by supplying the following essential information:

server name	ftp.csupomona.edu
username	your username
password	your password
remote directory	specify a directory

The remote directory is optional,and if omitted a connection is made to your home directory. Users connecting to group directories should specify a directory of the form /dfs/group/groupname. File and directory ACLs are respected by the FTP server; a user needs read access to get a file or view a directory listing, write/insert access to put a file or make a directory, and delete access to delete a file.

Users can browse files and directories through FTP using URLs of the form

ftp://username@ftp.csupomona.edu/dfs/user/username,

that include your username (username), the name of the FTP server (ftp.csupomona.edu), and a file or directory (e.g., /dfs/user/username).

---

3 Web Publishing Services

3.1 Publish Web Pages

Every file and directory can be published through the Web server to an audience selected by the file or directory owner.

Referring to Files and Directories through the Web

Web browsers refer to files and directories using addresses known as Uniform Resource Locators (URLs). A file URL has the general form

http://www.csupomona.edu/directory_path/filename

and a directory URL has the general form

http://www.csupomona.edu/directory_path/.

When a file URL is requested by a Web browser, the Web server looks for the file filename within the directory specified by the directory_path, and delivers it to the browser (subject to access controls as described below).

When a directory URL is requested by a Web browser, the Web server looks for an index file named index.html, index.htm, or index.shtml (in that order) within the directory specified by the directory_path. If an index file is found, the Web server delivers it to the browser (subject to access controls as described below). If no index file is found, a directory listing is delivered to the browser (subject to access controls as described below).

The directory_path may have the form ~username or ~groupname, in which case it specifies the user directory /dfs/user/username or the group directory /dfs/group/groupname. For example, my user directory /dfs/user/carich can be referred to using the URL http://www.csupomona.edu/~carich/ and the Computer Science Department group directory /dfs/group/cs can be referred to using the URL http://www.csupomona.edu/~cs/. The directory_path may also be the name of any directory with the prefix /dfs/ omitted. For example, the MacOS software directory /dfs/os/mac (which is neither a user directory nor a group directory) can be referred to using the URL http://www.csupomona.edu/os/mac/.

Controlling Access to Files and Directories through the Web

The Web server respects the access control lists (ACLs) associated with every file and directory, so that file or directory owners can control access to files and directories through the Web (and all other mechanisms, for that matter) by setting appropriate ACLs.

Before the Web server delivers a file to the browser, it checks if read access to the file and search access on every directory enclosing the file is allowed by anyone on the Internet. If so, the request is considered to be an unauthenticated request and the file is delivered without asking for the browser's username and password. If not, the request is considered to be an authenticated request and the Web server asks for a username and password from the Web browser to determine which user is browsing. If the user is a valid Intranet user with read access to the file and search access on every directory enclosing the file, then the file is delivered.

Note: Once you have supplied your username and password to your Web browser at the request of the Web server, your Web browser stores the username and password so that you won't be bothered to supply them on subsequent requests from the Web server; in a sense, this is like "logging in" to your Web browser. You shouldn't leave a Web browser unattended if you have supplied your username and password, because someone could use it to browse files or directories that only you should see. You also shouldn't assume that a request was unauthenticated simply because your Web browser didn't ask for your username and password; it may be using one that it had stored. The only way to make a Web browser forget your username and password is to quit your browser.

Delivering Files of Various Multimedia Types through the Web

The Web server can deliver files of various multimedia types through the Web and inform your Web browser which type was sent using Multipurpose Internet Mail Extension (MIME) information. If your Web browser has been configured to properly recognize and handle (using helper applications or plug-ins) the types of documents you browse, then your multimedia Web browsing experience will be seamless.

The only way the Web server can determine the type of multimedia stored in a file is to recognize conventional filename suffixes. In order to have files delivered with accurate type information, you should name them with conventional suffixes. For example, HTML pages should have names ending with .html or .htm, GIF images should have names ending with .gif and Microsoft Word documents should have names ending with .doc. Consult the authoritative list of MIME types and conventional suffixes recognized by the Web server. If you want to serve multimedia types that aren't currently recognized, please notify webmaster@csupomona.edu and we will include them.

---

3.2 Check Web Page Links

your home directory:	~
user directory:	/dfs/user/
group directory:	/dfs/group/
	last link check report
	last link check report

Users can check Web page links within a file or directory. Enter the name of an HTML file or a directory containing HTML files and click on a "Check" button. A cross-referenced hypertext report is displayed on your browser and stored in your user directory /dfs/user/username/.linklint.

The link checker recursively checks Uniform Resource Locators (URLs) starting with the URL of the file or directory entered. Specifically, when a URL is checked:

1. If the URL doesn't begin with http://www.csupomona.edu/, it is reported it as an "other link".

2. If the URL refers to a file or directory that doesn't exist or to which you aren't allowed access, it is highlighted and reported as a "missing file".

3. If the URL refers to a file or directory outside the file or directory originally entered, it is reported as a "file skipped".

4. Otherwise, the URL is reported as "found" and every URL contained in the file or directory listing that the Web server would deliver is recursively checked.

---

3.3 Develop Common Gateway Interfaces (CGIs)

Users can develop Common Gateway Interface (CGI) scripts that are executed on demand through the Cal Poly Pomona Web. CGI scripts can be executable binaries produced from a compiled language (e.g., C or C++) or scripts written in an interpreted language (e.g., perl or sh). There are user CGI and group CGI scripts that operate under the following conditions:

user CGI

• A user CGI can be executed through the Cal Poly Pomona Web using a URL of the form http://www.csupomona.edu/cgi-user/username/path/script, where username is the username of the CGI file owner, /dfs/user/username/path is the directory containing the CGI file and script is the name of the CGI file.

• For debugging purposes, a user CGI can be executed through the Cal Poly Pomona Web using a URL of the form http://www.csupomona.edu/cgi-userd/username/path/script. In addition to the intended standard output, debugging output and standard error output are directed back to the browser rather than the Web server error logs.

• The CGI file must be owned by the user username that appears in the URL.

• The CGI file must reside within the user directory /dfs/user/username.

• path must include a subdirectory named cgi-bin. This allows CGI authors to segregate scripts that can be executed as CGIs from those that cannot. For example, a user CGI file might reside in a directory named /dfs/user/username/cgi-bin or /dfs/user/username/project/cgi-bin.

• The ACLs on all directories enclosing the CGI file must allow search access by anyone on the Internet.

• If the ACL on the CGI file allows execute access by anyone on the Internet, then the CGI is executed as an unauthenticated user CGI with the (relatively weak) access privileges of anyone on the Internet. Any files or directories that the CGI seeks to read and/or write must have ACLs that allow read and/or write access by anyone on the Internet. If the CGI is written in an interpreted language, then the ACL on the CGI file must also allow read access by anyone on the Internet.

• If the ACL on the CGI file doesn't allow execute access by anyone on the Internet, then the CGI is executed as an authenticated user CGI with the access privileges of the owner, if possible. The owner of an authenticated user CGI must have previously escrowed their password for CGI authentication, so that their access privileges can be obtained by the Web server on demand. Any files or directories that the CGI seeks to read and/or write must have ACLs that allow read and/or write access by the owner. The ACL on the CGI file must allow execute access by the owner. If the CGI is written in an interpreted language, then the ACL on the CGI file must also allow read access by the owner.

group CGI

• A group CGI can be executed through the Cal Poly Pomona Web using a URL of the form http://www.csupomona.edu/cgi-group/groupname/path/script, where groupname is the name of a group containing the CGI file owner, /dfs/group/groupname/path is the directory containing the CGI file and script is the name of the CGI file.

• For debugging purposes, a group CGI can be executed through the Cal Poly Pomona Web using a URL of the form http://www.csupomona.edu/cgi-groupd/groupname/path/script. In addition to the intended standard output, debugging output and standard error output are directed back to the browser rather than the Web server error logs.

• The CGI file must be owned by a user who is a member of the group groupname that appears in the URL.

• The CGI file must reside within the group directory /dfs/group/groupname.

• path must include a subdirectory named cgi-bin. This allows CGI authors to segregate scripts that can be executed as CGIs from those that cannot. For example, a group CGI might reside in a directory named /dfs/group/groupname/cgi-bin or /dfs/group/groupname/project/cgi-bin.

• The ACLs on all directories enclosing the CGI file must allow search access by anyone on the Internet.

• If the ACL on the CGI file allows execute access by anyone on the Internet, then the CGI is executed as an unauthenticated group CGI with the (relatively weak) access privileges of anyone on the Internet. Any files or directories that the CGI seeks to read and/or write must have ACLs that allow read and/or write access by anyone on the Internet. If the CGI is written in an interpreted language, then the ACL on the CGI file must also allow read access by anyone on the Internet.

• If the ACL on the CGI file doesn't allow execute access by anyone on the Internet, then the CGI is executed as an authenticated group CGI with the access privileges of the owner, if possible. The owner of an authenticated group CGI must have previously escrowed their password for CGI authentication, so that their access privileges can be obtained by the Web server on demand. Any files or directories that the CGI seeks to read and/or write must have ACLs that allow read and/or write access by the owner. The ACL on the CGI file must allow execute access by the owner. If the CGI is written in an interpreted language, then the ACL on the CGI file must also allow read access by the owner.

---

3.4 Escrow your Password for CGI Authentication

	your encrypted password to the escrow
	your encrypted password from the escrow

Common Gateway Interface (CGI) scripts you own can be executed with your access privileges through the Cal Poly Pomona Web, provided that you have escrowed your password for CGI authentication. When you add your password to the escrow, it is encrypted and stored in a place accessible only by the Web server. When your authenticated user or group CGI is subsequently executed at the request of a browser on the Internet, the Web server retrieves your encrypted password, decrypts it, acquires your access privileges from the Security Registry, and executes the CGI with your access privileges.

SECURITY WARNINGS

• Since an authenticated user or group CGI is executed with the access privileges of the owner at the request of any browser on the Internet, it can potentially do anything the owner could do through the Unix shell. CGI owners are responsible for insuring that the CGI cannot be exploited in ways that cause harm. Authenticated CGI execution is allowed because few users have sufficient access privileges to harm the Intranet infrastructure; however, every user has sufficient access privileges to harm themselves. You should be aware that there are people on the Internet who are very skilled at exploiting poorly designed CGIs.

• Although escrowed passwords are strongly encrypted and stored in a place accessible only by the Web server, they aren't as secure as passwords stored in the Security Registry. Users who escrow their passwords for CGI authentication are trading a little password security for the ability to have their CGIs executed with their access privileges--an ability necessary if the CGI seeks to read or write files that shouldn't be read or written by anyone on the Internet. If it makes you feel any better, I've escrowed my password.

• Escrowed passwords aren't changed when a user changes their password, so authenticated CGI owners must re-escrow their password for CGI authentication after they change it. If you don't escrow your password again after changing it, the Web server is unable to acquire your access privileges and your authenticated user or group CGI fails to execute properly.

---