Join/Renew Benefits Sage Programs SysAdmin Resources Jobs Board SAGE Home
The USENIX Special Interest Group for Sysadmins

Netscape Enterprise Server Details

Return to Main

Create an Unprivileged User for the Web Server Daemon

One easy way to reduce your exposure to attack when running a web server is to create a unique unprivileged userid and group for the server application. The userid/group nobody is frequently used for this purpose, but it can be used by other services, thus introducing another vulnerability.

Use the following command line entries as patterns for creating the unprivileged group and user account:

groupadd httpd
useradd -d </opt/ns-home> -g httpd -s /bin/false -c "Web Server User" httpd
To make sure the user account you created can't be used to log on, check /etc/shadow. The password field for the httpd user should contain the entry *LK*, indicating that the account is locked and cannot be used to log in.

httpd:*LK*:::::::

Install the Administration Server

Netscape provides an installation script for installing the Enterprise Administration server. To start the installation process, execute the ns-setup script provided with the distribution. You will be prompted to provide the following configuration information for the Administration server.

Prompt Response
Installation Directory By convention, shared third-party applications are installed in the /opt directory. The root directory for a Web server, commonly referred to as the Server Root directory, would thus be a subdirectory in /opt (e.g., /opt/ns-home).
Full Name Enter the fully qualified DNS name for your server. This name must be aliased in your /etc/hosts file.
Admin Server Port Use the randomly selected default port number or choose any number above 1024.
Run admin server as [root] The Enterprise server documentation recommends running the Admin server as root.
Suitespot user [nobody] Use the username created above, i.e., httpd.
Suitespot group [nobody] Use the group created above, i.e., httpd.
Enter path to 2.x version y If you are upgrading, enter the path of the original Enterprise server installation.
Are you using an LDAP? [no] no: Unless you are using a separate LDAP server, the Enterprise server will use a local database in the Server Root directory. This database is used to store information about users and groups for access control. Otherwise, enter yes and then enter the appropriate information.
Access username [admin] This is not a UNIX user account name. It is an account only used by Netscape Admin Server for access control.
Password for admin user Make it a good one.
Netscape navigator [netscape] None: If the operating system has been set up according to the directions outlined in the Solaris Security Guide, OpenWindows is not available, and a local browser cannot be used. The server must be administered from a remote machine. In order to do that, you must edit the Admin Server configuration file (/opt/ns-home/admin-serv/config/ns-admin.conf) addresses directive to include the IP address of the authorized remote workstation.

Install the Web Server

To make your Web server more secure, use a separate disk partition for your Web content. Create a unique mount point for this directory: htdocs is a good name to use, but make it outside the application directory. You'll need to update /etc/vfstab to mount this partition as part of the server boot process. This directory must exist and be mounted before you create the Web server.

From a browser on a remote machine, go to http://servername:port/, using the servername and port defined above.

Select the "Create New Netscape Enterprise Server 3.0" hyperlink. Complete the configuration form as outlined.

Prompt Response
Server Name Enter the fully qualified DNS name of your server.
Bind Address Leave this blank, unless you are using multiple IP addresses for your server.
Server Port The default port is 80. If you are going to use SSL, the default is 443. You can change the port number if you wish.
Server Identifier Enter a name for the admin server to use to identify your Web server, i.e., hostname.
Server User This is the name that the server process runs as, e.g., httpd.
MTA Host Not typically used; consult vendor documentation for details.
NNTP Host Not typically used; consult vendor documentation for details.
Name Resolution Select "Never attempt to resolve IP addresses into hostnames."
Document Root Enter the directory name, e.g., /htdocs. Note: This directory must exist on your server.

Set Directory and File Permissions

The Netscape Enterprise Server installation script sets the file and directory permissions that are required for proper operation of the server. We cannot change some of these Netscape permissions. Because the Enterprise Server uses the Admin interface for defining configuration settings, it uses internal access control mechanisms outside of UNIX file permissions (the Admin user is defined during installation).

However, we still need to define additional access privileges for the Web server and related files. We can break users into three groups. These groups are based on functional roles:

Role Description
Webmaster
 A (hopefully) small group that maintains the server
Web developer
 Those who develop programs (CGI scripts, JavaScript, etc.)
Web author
 Those who develop Web pages

The following matrix lists permissions for each relevant directory by group role. This matrix is based in part on recommendations provided in Lincoln Stein's Web Security. Note that you will have to add some individuals to multiple groups to provide the required levels of access.

Group Configuration CGI Documents
Webmaster rwx rwx rwx
Web developer - rwx rwx
Web author - r-x rwx


  • Create the appropriate groups
    groupadd webmstr
    groupadd webdev
    groupadd webauth
  • Make sure only root can start and stop the server dæmons:
    chmod 700 /opt/ns-home/start-admin (-rwx------)
    chmod 700 /opt/ns-home/stop-admin (-rwx------)
    chmod 700 /opt/ns-home/restart-admin (-rwx------)
    chmod 700 /opt/ns-home/https-"alias"/start (-rwx------)
    chmod 700 /opt/ns-home/https-"alias"/stop (-rwx------)
    chmod 700 /opt/ns-home/https-"alias"/restart (-rwx------)
  • Change group ownership of specific server subdirectories:
    chgrp -R webmastr /opt/ns-home/https-"alias"/config
    chgrp -R webdev /opt/ns-home/cgi-bin
    chgrp -R webauth <Document Root>
  • Change permission for the configuration directory and files:
    chmod 771 /opt/ns-home/https-"alias"/config (drwxrwx---)
    chmod 664 /opt/ns-home/https-"alias"/config/* (-rw-rw----)
  • Change permission for the cgi-bin directory and files.  NOTE: Stein recommends file mode 775 for interpreted scripts and 771 for compiled scripts:
    chmod 2771 /opt/ns-home/cgi-bin (drwxrws--x)
    chmod 775 /opt/ns-home/cgi-bin/* (-rwxrwxr-x)
  • Change permission for the htdocs directory, subdirectories, and files:
    chmod 2771 (/htdocs and all subdirectories); (drwxrws--x)
    chmod 664 (all files in /htdocs and subdirs) (-rw-rw-r--)

NOTE: In Web Security Lincoln Stein recommends using mode 2xxx (i.e., setting the SGID bit) for some server directories. His point is that this makes file and directory sharing easier for members of the groups involved in maintaining parts of the server. We followed his recommendations for the server's cgi-bin and Document Root directories, but users will still have to manually change file permissions to allow group write/execute permissions on any new files added to these directories. We do not feel it is appropriate to change the users' UMASK value to automatically allow group write access on files.

Configure the Web Server

To configure the Web server, select the "Configure your server further" hyperlink immediately after installing the Web server, or, from the Admin server main page, select the button identifying your server name.

Discussion of all of the possible configuration options is beyond the scope of this document. Listed below are server security–related options, categorized by the Netscape administration headings.

Main Menu
(along the top)		 Subheading
(within left frame)		 Prompt
(within right frame)		 Response
(within right frame)
Server Preferences Symbolic Links Allow soft filesystem links: Select Never
Allow hard filesystem links: Select No
From Directory: Enter the absolute path of your Document Root
Programs CGI Directory URL prefix: cgi-bin
CGI directory: Enter the absolute pathname for your cgi directory. It should be outside your Document Root.

This setting allows all CGI scripts to be run only from your strictly controlled cgi-bin directory. Install only those CGI scripts you have tested and found safe.
Content Management Document Preferences Index Filenames: index.html
Directory Indexing None: This setting turns off automatic directory listings.

If the file Index Filenames is not found, the server will send the browser a list of all files and subdirectories in the directory when directory indexing is enabled. Clients can access any files or subdirectory in this list, even with no hyperlinks to them from other documents.
Home Page index.html
Default MIME Type text/plain
Parse HTML Activate server-parsed HTML? Select Yes, without exec tag
Parse which files? Select Files with the extension .shtml

Delete Unneeded HTML Documents

Remove all non-essential files from the directories under the Document Root directory.

It takes only a small error to cause your server to provide a listing of the files in a directory to a browser. If you've developed the habit of leaving files in the directories within your Document Root directory tree, thinking that they can't be accessed if they're not linked to some document, that one small mistake can lead to an unauthorized disclosure. A freshly installed Web server is the best time to start developing good file discipline.

Delete Unneeded CGI Scripts

Install only those CGI scripts you have tested and found safe. At least one of the commonly distributed scripts, pfh, has been used to compromise several Web servers.

You should require that all CGI scripts be run only from your strictly controlled cgi-bin directory, and you should not allow not the use of shell scripts.

Restrict Remote Operations

Permission to add files to a directory using FTP's PUT is controlled by file and directory permissions. The default configuration we specify will allow anyone in the webauth group to FTP files into your Document Root directory tree.

HTTP POST is controlled by turning on Web Publishing and setting up ACLs from within the Enterprise Server Admin interface. Read the vendor documentation for complete details.

Configure Server Auditing

Auditing is set up by default for both the Admin and Web servers.

Configure Access Control and Authentication

Access control and authentication are configured via the Admin interface. The details of setting up access control and authentication are available in the vendor documentation.

Provide a Security Banner

Use the following as an example:

###################################################################### This system is intended for authorized users only. Activity on this system is monitored and recorded. If monitoring reveals activities exceeding privileges, attempts to penetrate system security, or possible criminal activity, system personnel may provide evidence of such activity to law enforcement officials. If you continue past this point, you consent to this monitoring. ######################################################################