-
Notifications
You must be signed in to change notification settings - Fork 0
/
faq.html
485 lines (460 loc) · 19.6 KB
/
faq.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>CGIpaf 1.3.5 FAQ</title>
</head>
<body>
<h1>CGIpaf 1.3.5 FAQ</h1>
<hr>
<a name="copyright"></a>
<h2>Copyright Notice</h2>
<a name="copyright_documentation"></a>
<h3>Copyright documentation</h2>
<p>
The documentation for CGIpaf is licensed under the terms of the FreeBSD
Documentation License.
<h4>The FreeBSD Documentation License</h4>
<p>
Copyright © 2001 - 2020 Staf Wagemakers
<p>
Redistribution and use in source (plaintext, HTML) and 'compiled' forms (SGML, HTML, PDF, PostScript, RTF and so forth) with or without modification, are permitted provided that the following conditions are met:
<ol>
<li>
Redistributions of source code (plaintext, HTML) must retain the above copyright notice, this list of conditions and the following disclaimer.
</li>
<li>
Redistributions in compiled form (transformed to other DTDs, converted to PDF, PostScript, RTF and other formats) must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
</li>
</ol>
<p>
THIS DOCUMENTATION IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF
THE POSSIBILITY OF SUCH DAMAGE.
</p>
<a name="copyright_software"></a>
<h3>Copyright Software</h2>
CGIpaf (the software) is licensed under the terms of the GNU General Public
License version 2 or later.
<p>
Copyright © 2001 - 2020 Staf Wagemnakers
<p>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 2 of the License, or
(at your option) any later version.
<p>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
<p>
You should have received a copy of the GNU General Public License
along with this program. If not, see <a href="https://www.gnu.org/licenses/">https://www.gnu.org/licenses/</a>.
<hr>
<p>
<h2>1 <a href="#s1">Introduction to CGIpaf</a></h2>
<ul>
<li>1.1 <a href="#ss1.1">What is CGIpaf?</a></li>
<li>1.2 <a href="#ss1.2">How secure is CGIpaf</a></li>
<li>1.3 <a href="#ss1.3">Website</a></li>
<li>1.4 <a href="#ss1.4">Mailinglist</a></li>
<li>1.5 <a href="#ss1.5">Support</a></li>
<li>1.6 <a href="#ss1.6">License</a></li>
</ul>
<p>
<h2>2 <a href="#s2">Installation</a></h2>
<ul>
<li>2.1 <a href="#ss2.1">What platforms are supported?</a></li>
<li>2.2 <a href="#ss2.2">Which libraries are required?</a></li>
<li>2.3 <a href="#ss2.3">Does CGIpaf depends on PHP?</a></li>
<li>2.4 <a href="#ss2.4">Common installation problems</a></li>
</ul>
<p>
<h2>3 <a href="#s3">Common configuration problems</a></h2>
<ul>
<li>3.1 <a href="#ss3.1">passwd.cgi is unable to update the system password</a></li>
<li>3.2 <a href="#ss3.2">Can I update the SAMBA password?</a></li>
<li>3.3 <a href="#ss3.3">Is NIS supported?</a></li>
<li>3.4 <a href="#ss3.4">Is ldap supported?</a></li>
<li>3.5 <a href="#ss3.5">I get an internal server error</a></li>
<li>3.6 <a href="#ss3.6">How do I get debug output?</a></li>
<li>3.7 <a href="#ss3.7">Which authentication methods are supported</a></li>
<li>3.8 <a href="#ss3.8">CGIpaf is unable to authenticate?</a></li>
<li>3.9 <a href="#ss3.9">How do I enabled cracklib password testing?</a></li>
<li>3.10 <a href="#ss3.10">My .procmailrc is wipe out!</a></li>
<li>3.11 <a href="#ss3.11">My .forward is deleted!</a></li>
<li>3.12 <a href="#ss3.12">I get a "file not found" error message</a></li>
<li>3.13 <a href="#ss3.13">Mail forwarding and autoreply doesn't work</a></li>
<li>3.14 <a href="#ss3.14">Can I create my own html pages?</a></li>
<li>3.15 <a href="#ss3.15">Can I use vacation/.forward instead of procmail?</a></li>
<li>3.16 <a href="#ss3.16">I can't login with passwords longer than ...</a></li>
</ul>
<p>
<h2>4 <a href="#s4">Future Plans</a></h2>
<ul>
<li>4.1 <a href="#ss4.1">Supported Platforms</a></li>
</ul>
<hr />
<h1><a name="s1">1</a> Introduction</h1>
<h2><a name="ss1.1">1.1</a> What is CGIpaf?</h2>
<p>
cgipaf is a combination of three cgi programs:
</p>
<ul>
<li><b>passwd.cgi</b>: allows users to update their password</li>
<li><b>viewmailcfg.cgi</b>: allows users to view their current mail configuration.</li>
<li><b>mailcfg.cgi</b>: update the mail configuration</li>
</ul>
<p>
All programs use PAM for user authentication, systems without PAM
are only supported if they use the standard password file location
(/etc/passwd /etc/shadow) and standard crypt or md5 passwords.
If a password is changed it is possible to run a script to update
SAMBA passwords, NIS configuration, etc.
</p>
<p>
The mail configuration is done by procmail by default, mailcfg.cgi
creates a .procmailrc in the user's home directory. If autoreply is
enabled the autoreply message is stored in ~/vacations.txt. When a user
enables mail forwarding the user can choose to keep the messages.
If you want to use another auto responder like vacation you can define
an external script to update the user's mail configuration. A perl script with
vacation support is included see examples/ for an example config.
</p>
<p>
For the user authentication viewmailcfg.cgi creates a cookie, this cookie
is stored in the accessdb. mailcfg.cgi reads the cookie out the accessdb
and compares it with the cookie send by the users browser.
Users with too many invalid logins can be locked. The minimum and maximum
uid can be set in the configuration file, so you can specify a range of uid's
that are allowed to use cgipaf. CGIpaf has <b>a</b>ccess <b>c</b>ontrol <b>l</b>ists
support this allow you to deny or allow access to groups or users.
</p>
<p>
You can specify html files with a few PHP extensions for the login screen
and error messages. It's possible to use a redirect for the error messages, instead
of plain html files.
</p>
<h2><a name="ss1.2">1.2 </a>How secure is CGIpaf</h2>
<p>
The CGIpaf cgi's are suid root programs, this means they run as root. Viewmailcfg.cgi and
mailcfg.cgi runs as the user when the authentication is completed. All suid programs are
a security risk, I try to keep them so secure as possible...</p>
<p>
If you use CGIpaf on the internet you must use CGIpaf over https otherwise the users passwords
are send unencrypted over the internet.
</p>
<h2><a name="ss1.3">1.3 </a>Website</h2>
<p>
I finally got a stable place for my homepage ( <a href="http://www.wagemakers.be">http://www.wagemakers.be</a> ).<br>
<strong>thanks</strong> to <a href="http://www.procolix.com/">ProcoliX</a> for hosting my site and sponsoring my domain.
<p>
The current locations are:
</p>
<ul>
<li>main site: <a href="http://www.wagemakers.be/english/programs/cgipaf">http://www.wagemakers.be/english/programs/cgipaf</a></li>
</li>
<li>debian packages: <a href="http://www.wagemakers.be/downloads/debian/">http://www.wagemakers.be/downloads/debian/</a>
</li>
</ul>
<p>
If you're unable to access the website check
<a href="http://freshmeat.net/projects/cgipaf">http://freshmeat.net/projects/cgipaf</a>
for the correct location.
</p>
<h2><a name="ss1.4">1.4 </a>Mailinglist</h2>
<p>
<a href="http://groups.yahoo.com/group/cgipaf/">http://groups.yahoo.com/group/cgipaf/</a></p>
<p>
<table border="0" cellspacing="1" cellpadding="1">
<tr>
<td><font face="arial,helvetica" size=-1>Post message</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf@yahoogroups.com</font></td>
</tr>
<tr>
<td><font face="arial,helvetica" size=-1>Subscribe:</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf-subscribe@yahoogroups.com</font></td>
</tr>
<tr>
<td><font face="arial,helvetica" size=-1>Unsubscribe:</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf-unsubscribe@yahoogroups.com</font></td>
</tr>
<tr>
<td><font face="arial,helvetica" size=-1>List owner:</font></td>
<td><font face="arial,helvetica" size=-1>cgipaf-owner@yahoogroups.com</font></td>
</tr>
</table>
<h2><a name="ss1.5">1.5 </a> Support</h2>
<p>
Please post your questions / install problems to the mailinglist. I usually read my private email at the
evening after my work but I follow the mailinglist during the workday, so you'll get the answer faster
in the mailinglist. Your problem can be useful to the other CGIpaf users...
</p>
<h2><a name="ss1.6">1.6 </a> License</h2>
<p>
CGIpaf is Free software published under the GNU General Public License.
see <a href="http://www.gnu.org/licenses/gpl.html">http://www.gnu.org/licenses/gpl.html</a>
for more information.
</p>
<hr />
<h1><a name="s2">2</a> Installation</h1>
<h2><a name="ss2.1">2.1</a>What platforms are supported</h2>
<ul>
<li><b>GNU/Linux</b>
<p>
CGIpaf should compile and run on most GNU/Linux distributions. Slackware is
only supported if you compile CGIpaf without PAM support since Slackware doesn't support PAM.
Both passwd types (standard crypt, md5) are supported on a non-PAM system. Blowfish and others aren't supported.
</p>
</li>
<li><b>SUN Solaris</b>
<p>
CGIpaf works on Solaris ( only tested on solaris 8 )
</p>
</li>
<li><b>FreeBSD</b>
<p>
FreeBSD is supported.
The PAM password changer is supported on FreeBSD 7.3 or above.
</p></li>
<li><b>NetBSD</b>
<p>
NetBSD is suppored.
The PAM password changer is supported on NetBSD 6.0 or above.
</p>
<li><b>OpenBSD</b>
<p>
Unfortunately OpenBSD isn't supported (yet). I hope to start a port some day.
</p>
</li>
<li><b>Other</b>
<p>
CGIpaf might work on other Un*ces with pam support. Systems without pam support
are only supported if they use the standard password file location /etc/passwd
/etc/shadow and standard crypt or md5 passwords.
</p>
</li>
</ul>
<h2><a name="ss2.2">2.2</a> What libraries are required?</h2>
<p>
CGIpaf uses only standard libraries that are installed on most common Un*x installations, you need the
development packages ( headers files etc ) to compile CGIpaf.
</p>
<p>
List of required libraries:
<ul>
<li>ndbm, gdbm of compatible library</li>
<li>libPAM ( optional )</li>
<li>libc ( of course )</li>
<li>cracklib ( optional )</li>
</ul>
<h2><a name="ss2.3">2.3</a> Does CGIpaf depends on PHP?</h2>
<p>
No! CGIpaf only emulate a few PHP functions ( include and echo ) in his html files.<br>
If you need full PHP support you've to use a redirect.
</p>
<h2><a name="ss2.4">2.4</a> Common installation problems</h2>
<p>
<ol>
<li><b>I get a "configure: error: no valid ndbm library found" error message</b>
<p>
CGIpaf depends on ndbm or compatible library, you need the development files to compile it. If ndbm and
the development files aren't installed on your system install them, look for a gdbm or ndbm package<br>
If ndbm isn't installed on standard location on your system ( e.g. /opt ) try to create symbolic links:
<p>
<pre><tt><kbd>
ln -s /opt/lib/libndbm.so /usr/lib/libndbm.so
ln -s /opt/include/db1/ndbm.h /usr/include/ndbm.h
</kbd></tt></pre>
<p>
and rerun ./configure
</p>
<li><b>pam development files</b>
<p>
To compile CGIpaf with PAM support you need the PAM development files, which
aren't install on every default installation. Look for a package with a name
like *libpam-dev and install it. ( Type apt-get install libpam0g-dev on a
Debian GNU/Linux system )
</p>
</li>
<li><b>cracklib</b>
<p>
To compile cgipaf with cracklib support you need the libcrack development
files... If you've a system with PAM support try to enable cracklib
support through PAM (see below).
<p>
On a non-PAM system set "cracklib" to "on" and "cracklib_dictpath" you your
cracklib dict path.<br>
The cracklib_dictpath is the path to the dictionary filename without the extension
( .pwi ), not the directory path.<br>
The correct_dictpath on Debian ( potato and woody ) is /var/cache/cracklib/cracklib_dict
, on RedHat 6.2 you'll have to use /usr/lib/cracklib_dict.
</p>
</li>
</ol>
<hr />
<h1><a name="s3">3</a> Common configuration problems</h1>
<h2><a name="ss3.1">3.1</a> CGIpaf is unable to update the password</h2>
<p>
On a non-pam system cgipaf uses a lock file in /var/lock if this directory doesn't exists on your
system passwd.cgi will end with "Can't create lockfile" error. Create /var/lock or update pam.h
to your own needs.
</p>
<h2><a name="ss3.2">3.2</a> Can I update the SAMBA password?</h2>
<p>
Yes, passwd.cgi doesn't support SAMBA passwords directly but you can use a
"run_success" script.
<pre><tt><code>
run_success "/usr/sbin/smbpasswd -U %{name} > /dev/null 2>&1" "%{password}\n%{password}\n"
</code></tt></pre>
<h2><a name="ss3.3">3.3</a> Is NIS supported?</h2>
<p>
CGIpaf doesn't support NIS directly, but it's possible to update the
NIS password on the master NIS server and run pwupdate (8) through run_success
<pre><tt><code>
run_success "/usr/lib/yp/pwupdate > /dev/null 2>&1"
</code></tt></pre>
<h2><a name="ss3.4">3.4</a> Is ldap supported?</h2>
<p>
CGIpaf should support ldap through PAM, altought I didn't had the time to test it...
</p>
<h2><a name="ss3.5">3.5</a> I get an internal server error</h2>
<p>
This can have several reasons...
</p>
<p>
If you've enabled cracklib in cgipaf and the cracklib_dictpath to a invalid
location passwd.cgi will end with a internal server and an error message in
your webserver error log. Try to disable cracklib if this resolves the problem
see "How do I enable cracklib password testing".
</p>
<p>
Another reason is possible BUG or misconfiguration in cgipaf, the error_log of
your webserver and the syslog messages ( set loglovel to 7 ) should give more information.
</p>
<h2><a name="ss3.6">3.6</a> How do I get debug output?</h2>
<p>
Set the loglevel to 7 in cgipaf.conf, this will send debug messages to your system's syslog
</p>
<h2><a name="ss3.7">3.7</a> Which authentication methods are supported</h2>
<p>
CGIpaf supports PAM and standard Un*x password files ( /etc/passwd /etc/shadow ).
BSD uses different passwd locations. On a Net|FreeBSD system /etc/passwd_master is updated
and copied to pwdb by the pw_mkdb command.<br>
OpenBSD isn't (yet) supported...
</p>
<h2><a name="ss3.8">3.8</a> CGIpaf is unable to authenticate?</h2>
<p>
On a pam system: CGIpaf needs "auth" and "account" entries in his PAM configuration.
If you don't set the pam_service directive CGIpaf uses the "passwd" service name. The passwd
pam service ( /etc/pam.d/passwd ) usually doesn't have an entry for user authentication, therefor
/etc/pam.d/other has to have a line auth set to pam_unix.so.
<pre><code><tt>
auth required pam_unix.so
account required pam_unix.so
</tt></code></pre>
If you don't like this for security reason etc, you can set the pam_service directive to "cgipaf"
and create the file /etc/pam.d/cgipaf that looks like this
<pre><code><tt>
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so md5
</tt></code></pre>
Or better copy your system passwd configuration and add the lines for "auth" and "account".
<h2><a name="ss3.9">3.9</a> How do I enabled cracklib password testing?</h2>
<p>
On a PAM system: CGIpaf should support password testing trough PAM. Enable cracklib support in
your PAM configuration.
</p>
<p>
On a non pam system you've to set the cracklib directive to "on" and cracklib_dictpath to your
system's cracklib dictpath.
</p>
<h2><a name="ss3.10">3.10</a> My .procmailrc is wipe out!</h2>
<p>
CGIpaf deletes or replaces the user's ~/.procmailrc after a user has updated his mail configuration.
It's possible to copy the your .procmailrc and restore it when autoreply and mailforwarding is disabled
by the run_before_mailcfg and run_after_mailcfg directives.<br>
An alternative is to use .forward/vacation instead of procmail see examples/ for more information.
</p>
<h2><a name="ss3.11">3.11</a> My .forward is deleted!</h2>
<p>
The user's .forward is deleted after a mail configuration update. If you don't like this you can disable the
internal mail configuration and use your own run_mailcfg script. See examples/ for perl example with vacation support.
</p>
<h2><a name="ss3.12">3.12</a> I get a "file not found" error message in the webserver error_log</h2>
<p>
CGIpaf uses "/cgi-bin" in his action fields, if you use another cgi-bin location eg ( /cgi-bin/cgipaf )
you have to update:
</p>
<ul>
<li>cgipasswd_top.php</li>
<li>mailcfg_form.php</li>
<li>mailcfg_login.php</li>
</ul>
<h2><a name="ss3.13">3.13</a> Mail forwarding and autoreply doesn't work</h2>
<p>
Basically CGIpaf is web interface to configure procmail, so you need a mailserver with procmail support.
Check the documentation of you mailserver howto enable procmail.
</p>
<h2><a name="ss3.14">3.14</a> Can I create my own html pages?</h2>
<p>
Yes! You can modify the php file that come with the installation of cgipaf. Please note that
CGIpaf doesn't have full PHP support it only emulates two PHP function (echo and include).
If you need full PHP support or what to use another web scripting language you've to use a Redirect.<br>
e.g.:
<pre><code><tt>
msg_success redirect http://your_webserver/pwchanged.php?name="%{name}"
</tt></code></pre>
<p>
Will redirect to http://your_webserver/pwchanged.php?name="loginname" after a user has succeed to update
his password.
</p>
<h2><a name="ss3.15">3.15</a> Can I use vacation/.forward instead of procmail?</h2>
<p>
Yes! You can disable the internal .procmailrc updater of CGIpaf and define an external script
to update the user's mail configuration. See examples/ for a vacation example.
</p>
<h2><a name="ss3.16">3.16</a> I can't login with passwords longer than ...</h2>
<p>
You'll have to update mailcfg_login.php, the default maxlength for the password field is 16
If you need to support longer passwords update mailcfg_login.php
</p>
<pre><code><tt>
<td><input name="passwd" type="password" size="8" maxlength="16"></td>
^^^^^^^^^^^^^^
</tt></code></pre>
<h:1
<h1><a name="s4">4</a> Future plans</h1>
<h2><a name="ss4.1">4.1</a> Supported Platforms</h2>
<p>
CGIpaf started as GNU/Linux project I needed to create site that allowed users to update their
mailconfiguration. I have added solaris support because we it at my work and I was tired to
explain users how they've to update their Un*x password.
</p>
<p>
I've added slackware 8.0, FreeBSD and NetBSD support because some users requested a port to these
platforms. I hoped that I could reuse the BSD code for the OpenBSD port, but the odds
were against me. The BSD port doesn't works without trouble on OpenBSD versions.
</p>
<p>
PAM on FreeBSD and NetBSD have been improved over the years.<br />
PAM support is enabled by default on FreeBSD 7.3 or above and NetBSD 6 or above.
<p>
<hr />
<address><a href="mailto:staf at wagemakers.be">staf wagemakers</a></address>
<!-- Created: Mon Apr 8 20:42:51 CEST 2002 -->
<!-- hhmts start -->
Last modified: Thu Mar 14 09:33:27 CET 2013
<!-- hhmts end -->
</body>
</html>