Sample CGI scripts for managing per-user dccm and dccproc white lists and logs. Each user with a white list directory can - browse logged messages - point-and-click to add checksums from logged messages to an individual white list - choose to receive a daily notice about messages since the user's log was last checked, but no more than one notice per week when the log is not checked. These scripts are intended to be portable and usable instead of fast or fancy. Large organizations should consider perl_mod, templates, and so forth. Instead of modifying them in place, copying them to a directory other than /var/lib/dcc/cgi-bin will avoid difficulties when installing new versions of the DCC. They are intended to be used with dccm, but can be used with dccproc if dccproc is told to follow the per-user logging and white list conventions used by dccm with dccproc -E -l /var/lib/dcc/userdirs/local/$USER/log \ -w /var/lib/dcc/userdirs/local/$USER/whiteclnt It might be good to use the "include" facility to add a global whiteclnt file to those per-user files. The newwebuser script installed in /var/lib/dcc/libexec can start per-user whiteclnt files from a prototype file. It is not necessary to include the global whiteclnt file in each per-user file with dccm, because dccm applies the global whiteclnt file if a per-user's file fails to provide a black or white answer. These scripts base their decisions about which additional or "subsititute" headers to show on the -S parameters in DCCM_ARGS in /var/lib/dcc/dcc_conf. If you are not use dccum but are using dccproc, you will need to set DCCM_ARGS forany local substitute SMTP headers. Less useful SMTP headers such as non-null Message-IDs are not supported to avoid confusing end-users. The log directory and white list for a local user in .../userdirs/local/name are mapped to the htpasswd username "name", while those for remote users in such as .../userdirs/esmtp/xxx@example.com are mapped to esmtp/name@example.com These scripts must protected with an equivalent to the following in httpd.conf: ScriptAlias /DCC-cgi-bin/ /var/lib/dcc/cgi-bin/ <Directory /var/lib/dcc/cgi-bin/> allow from all SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLRequireSSL # install the http2http2 script in your main /cgi-bin/ directory and # add something like the following line to redirect HTTP to HTTPS # ErrorDocument 403 /cgi-bin/http2https AuthType Basic AuthName "DCC user" AuthUserFile /var/lib/dcc/userdirs/webusers require valid-user </Directory> Httpd must be able to read and write the per-user files and directories, usually by sharing a GID with the DCC user and having the directories writable-by-group. By default, the newwebuser script uses the group www. newwebuser see misc/README It is installed in the DCC libexec directory instead of the cgi-bin directory so that the HTTP server need not be tempted by distant users to execute it. webuser-notify send a mail message notifying a user of new DCC log files. This file must be edited, copied to the DCC libexec directory, and made executable so that the DCC cron script can use it. common utility functions list-log list a user's log files list-msg list a single message among the log files edit-whiteclnt edit a user's white list file chgpasswd change a user's password. BEWARE that this script users `htpasswd -b` which momentarily exposes passwords to other users on the system using the `ps` command. On systems with user shell accounts, this script should be turned off or replaced with something like the HTTPD::UserAdmin Perl module. To get it to work at all, you may need to adjust $PATH to reach htpasswd. http2https CGI script to redirect HTTP accesses to HTTPS. They can be used with the main client DCC log directory and white list by 0. figure a way to let httpd read the main DCC log files. The only ways I see to do that invoke enough security worries to make describing them undesirable. 1. use `/var/lib/dcc/libexec/newwebuser %postmaster` to recreate a per-user directory for a local username that is both invalid and will not be hit by spammer dictionary attacks 2. replace the resulting userdirs/%postmaster/log directory with a symbolic link to the main log directory: rmdir /var/lib/dcc/userdirs/local/%postmaster/log ln -s ../../../log /var/lib/dcc/userdirs/local/%postmaster/log 3. replace the resulting userdirs/%postmaster/whiteclnt file with a symbolic link to the DCC client white list: rm /var/lib/dcc/userdirs/local/%postmaster/whiteclnt ln -f -s ../../../whiteclnt /var/lib/dcc/userdirs/local/%postmaster Rhyolite Software DCC 1.2.16-1.2 $Revision$