next up previous contents
Next: Protecting Access to Up: Enabling Security on Previous: Restricting hosts

Restricting Users

If you want to restrict the users that can access a particular area of the server, you would define a protection class as follows:

Protection WEBWEAVERS {
AuthType Basic
PasswordFile /WWW/Admin/passwd
GetMask handley, crowcroft

Protect /secret/* WEBWEAVERS

Here, a password file is specified by the Protection command. The password file can be maintained using the htadm program available with the CERN server. Unix format password files are also understood.

The entries specified here as the GetMask correspond to entries in the password file, and the user will be prompted for a username and password before being able to access the files specified by the Protect command.

More subtle restrictions can be places by using a group file. If we had the following group file called /WWW/Admin/group as follows:

webweavers: handley, crowcroft
syspeople: jonathan, barry, ray, steve
trusted: authors, syspeople, anne
uclcs: @*, @128.16.*, @193.63.58.*
verysecure: trusted@*

This is then used as:

Protection VERYSECURE {
AuthType Basic
PasswordFile /WWW/Admin/passwd
GroupFile /WWW/Admin/group
GetMask verysecure

Protect /secret/* VERYSECURE

This would restrict the access to the /secret directory to only trusted people, and only then when they connect from a local machine.

Note that the values you can use for GetMask can be user names, group names, or of the form group@address where address contain wildcards. The group part can be left blank if required, which means anyone can connect from the specified host(s).

Jon Crowcroft
Wed May 10 11:46:29 BST 1995