LinkScan for Unix. Reference Manual.
|Previous Contents Next||Help Reference HowTo Card|
This section discusses the use of LinkScan in conjunction with various web servers and the associated security implications:
When LinkScan is used to scan a website, the results are stored in the LinkScan database. Reports are created by executing queries against that database with several CGI programs that are supplied with LinkScan.
Hence, LinkScan will normally require that web server software be installed, configured and running on the installation computer. Note that LinkScan doesn't require access to a local web server in order to scan a web site. But a local web server is usually required to view the results of that scan.
On Unix Systems the LinkScan installation procedure assumes the availability of an existing web server, often the Apache system. See LinkScan Installation and Startup Guide for Unix Systems.
The remainder of this section describes the use of LinkScan with various web servers and discusses the associated security considerations.
When using LinkScan with Apache (and most other web servers) two sets of considerations must be addressed:
Apache normally requires that several conditions be satisfied before it will execute the LinkScan CGI programs -- or any other CGI program, for that matter:
Unless all of the above are satisfied, Apache will refuse to execute the CGI program and you will likely receive a 500 Server Error or 403 Forbidden response.
LinkScan imposes certain additional (minimal) requirements:
Be sure to include the leading and trailing forward-slash characters and make the file world readable (chmod 644 .linkscan).
Although the above guidelines are presented in the specific context of the Apache web server, the basic principals are quite generic and may easily be adapted to almost web server. Note also that LinkScan provides considerable flexibility; you may install the LinkScan CGI programs in one directory, the documentation in another and the main LinkScan system including the databases in a third. Indeed, LinkScan may easily be configured to run in chroot and other similar environments.
LinkScan includes some basic Access Controls that may be configured using the Access command in the configuration file linkscan.sys in the LinkScan directory. These access controls apply to CGI access only. It is assumed that standard operating system features will be used to control access by shell (command line) users.
Access username : password : project-list : owner-list : menu-options
x = Project Summary Report e = Problem Documents Report s = Document Detail Report k = Critical Errors Report d = Detailed Errors Report b = Changed Documents Report u = Search Documents Report v = Search Links Report m = SiteMap Report y = Summary of All Projects c = Selected Status Codes Report a = All Pages Linking To ... Report o = Orphaned Files Report h = External History Report r = Redirections Report p = System Configuration Report q = LinkScan/QuickCheck t = LinkScan/TapMap
An asterisk character may be used as a wildcard for any or all of the above parameters.
Indeed, a default LinkScan installation will create the following entry in linkscan.sys file providing unrestricted access:
Access = * : * : * : * : *
Facilities are also provided to integrate with HTTP Authentication Schemes. LinkScan will check for the Environment Variable specified by the Httpauth parameter in linkscan.sys (normally REMOTE_USER). If this variable is present, it will be used to set the current Username. LinkScan will assume that the user has already authenticated with the HTTP server and it will not check the password field in linkscan.sys.
Example: In the following example, we have configured two users with different passwords. User 'admin' has unrestricted access, but user 'webmaster' may only access the two Projects specified. Also the "Site History" and "System Configuration" Reports are not available to 'webmaster'.
Access = admin : root : * : * : * Access = webmaster : html : www.example.com,devel.example.com : * : sxdcmoaqt
LinkScan incorporates some simple access controls on the various Reporting options and selections when run as CGI scripts. No LinkScan-specific access controls are applied when accessing LinkScan via a shell (command line) interface; it is assumed that normal operating system access controls apply. The LinkScan access controls are subject to the many and varied limitations inherent within the CGI protocol (see the WWW CGI Security FAQ and other sources for further discussion). In summary, if your HTTP server can access any specific file, then, any user with HTTP access to your server may be able to access that file. The LinkScan security features are provided as a convenience but they are no substitute for other more robust system-level security controls such as:
We highly recommend that you configure HTTP Authentication of the LinkScan directory. Other measures you may wish to consider include:
LinkScan for Unix. Reference Manual. Section 27. LinkScan and Various Web Servers
LinkScan Version 12.4
© Copyright 1997-2013 Electronic Software Publishing Corporation (Elsop)
LinkScan and Elsop are Trademarks of Electronic Software Publishing Corporation
|Previous Contents Next||Help Reference HowTo Card|