LinkScan

LinkScan for Unix. Reference Manual.

Section 27

  Previous   Contents   Next   Help   Reference   HowTo   Card 

LinkScan and Various Web Servers

This section discusses the use of LinkScan in conjunction with various web servers and the associated security implications:

  1. Web Server Requirements
  2. LinkScan and Apache
  3. LinkScan Access Controls
  4. LinkScan Security Considerations

27.1 Web Server Requirements

When LinkScan is used to scan a website, the results are stored in the LinkScan database. Reports are created by executing queries against that database with several CGI programs that are supplied with LinkScan.

Hence, LinkScan will normally require that web server software be installed, configured and running on the installation computer. Note that LinkScan doesn't require access to a local web server in order to scan a web site. But a local web server is usually required to view the results of that scan.

  • On Unix Systems the LinkScan installation procedure assumes the availability of an existing web server, often the Apache system. See LinkScan Installation and Startup Guide for Unix Systems.

    The remainder of this section describes the use of LinkScan with various web servers and discusses the associated security considerations.

    27.2 LinkScan and Apache

    When using LinkScan with Apache (and most other web servers) two sets of considerations must be addressed:

    Apache Requirements

    Apache normally requires that several conditions be satisfied before it will execute the LinkScan CGI programs -- or any other CGI program, for that matter:

    1. The CGI programs must be installed in a directory that is configured to permit CGI executions. This is typically a cgi-bin directory configured with an Apache ScriptAlias However, any directory may be configured to permit CGI executions with the Apache Option ExecCGI
    2. The CGI programs must have an appropriate file extension Typically you will need an Apache AddHandler cgi-script .cgi
    3. The CGI program and the directory in which it resides will require appropriate permissions. Typically, one would use 711 for the directory and 755 for the CGI file
    4. The CGI program must not be owned by nobody
    5. The CGI program must include a valid shebang header pointing at the Perl 5 executable on your computer. For example:

      #!/usr/local/bin/perl

    Unless all of the above are satisfied, Apache will refuse to execute the CGI program and you will likely receive a 500 Server Error or 403 Forbidden response.

    LinkScan Requirements

    LinkScan imposes certain additional (minimal) requirements:

    1. In the linkscan.sys configuration file, the Cgibinurl setting must be configured to point at the directory into which the LinkScan CGI programs have been installed. This is required in order that the LinkScan CGI programs can link to each other. For example: Cgibinurl = http://www.example.com/cgi-bin/
    2. In the linkscan.sys configuration file, the Docsurl setting must be configured to point at a directory containing the LinkScan documentation and associated images. For example: Docsurl = http://www.example.com/linkscan/docs/
    3. An additional requirement is imposed if (and only if) the LinkScan CGI programs are installed in a directory other than the main LinkScan directory (for example, if you moved them to a cgi-bin directory). In this case, the LinkScan CGI's will need to know where to find the rest of the LinkScan configuration files and databases. In the directory containing the LinkScan CGI programs, create a hidden file called .linkscan. This file needs to contain a single line entry with the full pathname to the main LinkScan directory. For example:

      /usr/linkscan/

      Be sure to include the leading and trailing forward-slash characters and make the file world readable (chmod 644 .linkscan).

    Although the above guidelines are presented in the specific context of the Apache web server, the basic principals are quite generic and may easily be adapted to almost web server. Note also that LinkScan provides considerable flexibility; you may install the LinkScan CGI programs in one directory, the documentation in another and the main LinkScan system including the databases in a third. Indeed, LinkScan may easily be configured to run in chroot and other similar environments.

    27.3 LinkScan Access Controls

    LinkScan includes some basic Access Controls that may be configured using the Access command in the configuration file linkscan.sys in the LinkScan directory. These access controls apply to CGI access only. It is assumed that standard operating system features will be used to control access by shell (command line) users.

    
    Access username : password : project-list : owner-list : menu-options
    

    An asterisk character may be used as a wildcard for any or all of the above parameters.

    Indeed, a default LinkScan installation will create the following entry in linkscan.sys file providing unrestricted access:

    
    Access = * : * : * : * : *
    

    Facilities are also provided to integrate with HTTP Authentication Schemes. LinkScan will check for the Environment Variable specified by the Httpauth parameter in linkscan.sys (normally REMOTE_USER). If this variable is present, it will be used to set the current Username. LinkScan will assume that the user has already authenticated with the HTTP server and it will not check the password field in linkscan.sys.

    Example: In the following example, we have configured two users with different passwords. User 'admin' has unrestricted access, but user 'webmaster' may only access the two Projects specified. Also the "Site History" and "System Configuration" Reports are not available to 'webmaster'.

    
    Access = admin : root : * : * : *
    Access = webmaster : html : www.example.com,devel.example.com : * : sxdcmoaqt
    

    27.4 LinkScan Security Considerations

    LinkScan incorporates some simple access controls on the various Reporting options and selections when run as CGI scripts. No LinkScan-specific access controls are applied when accessing LinkScan via a shell (command line) interface; it is assumed that normal operating system access controls apply. The LinkScan access controls are subject to the many and varied limitations inherent within the CGI protocol (see the WWW CGI Security FAQ and other sources for further discussion). In summary, if your HTTP server can access any specific file, then, any user with HTTP access to your server may be able to access that file. The LinkScan security features are provided as a convenience but they are no substitute for other more robust system-level security controls such as:

    We highly recommend that you configure HTTP Authentication of the LinkScan directory. Other measures you may wish to consider include:

    LinkScan for Unix. Reference Manual. Section 27. LinkScan and Various Web Servers
    LinkScan Version 12.3
    © Copyright 1997-2012 Electronic Software Publishing Corporation (Elsop)
    LinkScan™ and Elsop™ are Trademarks of Electronic Software Publishing Corporation

      Previous   Contents   Next   Help   Reference   HowTo   Card