Creating the Server Directory
Now that the server is installed, it is time to configure it. The very first thing to change is the documents' root directory (
DocumentRoot, as Apache httpd calls it). The default is /usr/pkg/share/thttpd/, a far from optimal value in most cases due to its dynamic nature. (Remember that /usr/ is often mounted read-only.) A better place is, for example, /home/www/, so change the configuration to use this directory instead. Open the configuration file (/usr/pkg/etc/thttpd.conf) in your favorite editor and change the
dir variable to point to the correct directory, like this:
Once this is done, create the directory itself and a simple page inside it:
# mkdir /home/www # cat >/home/www/index.html <?xml version="1.0"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <title>Welcome</title> </head> <body> <p>thttpd is running!<p> </body> </html> ^D
Note that unless you create a default index.html file, people will be able to see the contents of the directory, which may be inappropriate.
Setting Up Permissions
Before running thttpd, which is already possible at this point, it's worthwhile to tighten permissions a bit. As in any networking-aware application, it is a good idea to run it without superuser privileges, aiming to lessen damage to the system in case of attack. Therefore, my goal is to run the server process under a regular user account. Create the
www group, to which any webmasters will belong, and the
thttpd user, the account that will run the daemon.
# useradd -g nobody -d /home/www thttpd # groupadd www
Notice how the
thttpd account uses the
www is a group for web masters; the daemon has no business writing to the documents directory.
Now that the account is ready, tell thttpd to use it:
# echo user=thttpd >>/usr/pkg/etc/thttpd.conf
Finally, change the permissions of the documents directory to let any member of the
www group modify the files inside it:
# chown -R root:www /home/www/ # chmod 775 /home/www/ # chmod 664 /home/www/index.html
Enabling the Server
Now you are ready to start the server, usually by using the provided
rc.d script. First, copy this script to the appropriate system directory, /etc/rc.d/, so that it is available at boot time:
# cp /usr/pkg/share/examples/rc.d/thttpd /etc/rc.d/
Once it is in place, enable it. Now is another opportunity to make things a bit better, security-wise: tell the daemon to chroot itself into the documents' root directory after startup. This is easy to do on NetBSD by passing the
-r flag to the daemon. With this in mind, modify /etc/rc.conf:
# cat >>/etc/rc.conf echo thttpd=YES echo thttpd_flags=-r ^D
You're done. Start the server with the command:
# /etc/rc.d/thttpd start
Before continuing, it's helpful to verify that everything works correctly. First connect to http://localhost/ (note that this link will work only if you run this from the machine on which you installed thttpd), and check that the web page you wrote before appears. Secondly, make sure that the
-r flag was effective; you do not want to discover several months later that what you thought was chrooted in fact was not. Check this with help from the
fstat command, whose purpose is to show the status of all open files. Search for the root file used by the daemon:
# fstat | grep ^thttpd | grep root thttpd thttpd 1206 root /home 2351520 drwxrwxr-x 512 r
What the output shows is that the command is being executed under the directory pointed to by the
2351520 inode, living under the /home filesystem (which is a separate partition). To verify that the inode number belongs to your documents' root directory, use the
# ls -lidF /home/www/ 2351520 drwxrwxr-x 2 root www 512 Jun 4 16:35 /home/www/
The number on the first column matches the inode number shown by
fstat. This daemon is chrooted inside the appropriate directory.
Congratulations! The server is now correctly configured and is up and running. But wait--you're not done yet.