BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


Lightweight Web Serving with thttpd
Pages: 1, 2, 3

Creating the Server Directory

Now that the server is installed, it is time to configure it. The very first thing to change is the documents' root directory (DocumentRoot, as Apache httpd calls it). The default is /usr/pkg/share/thttpd/, a far from optimal value in most cases due to its dynamic nature. (Remember that /usr/ is often mounted read-only.) A better place is, for example, /home/www/, so change the configuration to use this directory instead. Open the configuration file (/usr/pkg/etc/thttpd.conf) in your favorite editor and change the dir variable to point to the correct directory, like this:



dir=/home/www

Once this is done, create the directory itself and a simple page inside it:

# mkdir /home/www
# cat >/home/www/index.html
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
  <head>
    <title>Welcome</title>
  </head>

  <body>
    <p>thttpd is running!<p>
  </body>
</html>
^D

Note that unless you create a default index.html file, people will be able to see the contents of the directory, which may be inappropriate.

Setting Up Permissions

Before running thttpd, which is already possible at this point, it's worthwhile to tighten permissions a bit. As in any networking-aware application, it is a good idea to run it without superuser privileges, aiming to lessen damage to the system in case of attack. Therefore, my goal is to run the server process under a regular user account. Create the www group, to which any webmasters will belong, and the thttpd user, the account that will run the daemon.

# useradd -g nobody -d /home/www thttpd
# groupadd www

Notice how the thttpd account uses the nobody group: www is a group for web masters; the daemon has no business writing to the documents directory.

Now that the account is ready, tell thttpd to use it:

# echo user=thttpd >>/usr/pkg/etc/thttpd.conf

Finally, change the permissions of the documents directory to let any member of the www group modify the files inside it:

# chown -R root:www /home/www/
# chmod 775 /home/www/
# chmod 664 /home/www/index.html

Enabling the Server

Now you are ready to start the server, usually by using the provided rc.d script. First, copy this script to the appropriate system directory, /etc/rc.d/, so that it is available at boot time:

# cp /usr/pkg/share/examples/rc.d/thttpd /etc/rc.d/

Once it is in place, enable it. Now is another opportunity to make things a bit better, security-wise: tell the daemon to chroot itself into the documents' root directory after startup. This is easy to do on NetBSD by passing the -r flag to the daemon. With this in mind, modify /etc/rc.conf:

# cat >>/etc/rc.conf
echo thttpd=YES
echo thttpd_flags=-r
^D

You're done. Start the server with the command:

# /etc/rc.d/thttpd start

Before continuing, it's helpful to verify that everything works correctly. First connect to http://localhost/ (note that this link will work only if you run this from the machine on which you installed thttpd), and check that the web page you wrote before appears. Secondly, make sure that the -r flag was effective; you do not want to discover several months later that what you thought was chrooted in fact was not. Check this with help from the fstat command, whose purpose is to show the status of all open files. Search for the root file used by the daemon:

# fstat | grep ^thttpd | grep root
thttpd   thttpd      1206 root /home    2351520 drwxrwxr-x 512 r

What the output shows is that the command is being executed under the directory pointed to by the 2351520 inode, living under the /home filesystem (which is a separate partition). To verify that the inode number belongs to your documents' root directory, use the ls utility:

# ls -lidF /home/www/
2351520 drwxrwxr-x  2 root  www  512 Jun  4 16:35 /home/www/

The number on the first column matches the inode number shown by fstat. This daemon is chrooted inside the appropriate directory.

Congratulations! The server is now correctly configured and is up and running. But wait--you're not done yet.

Pages: 1, 2, 3

Next Pagearrow





Sponsored by: