Follow the Procedure
on this page.
The procedure describes how
to set up the Sun Web Server 2.1
to run at multiple labels on a Trusted Solaris 7 host and also how
to set up the browser-based Sun Web Server administration tool,
if desired.
The Sun Web Server is available with the Solaris Easy Access Server
3.0 or
the Solaris ISP 2.0 Server software.
Each web server has its own executable files and
data directories, and perhaps may need different
privileges, so you would need to adapt the procedure
on this page to get other web
servers to run. For additional information, see
the "Adding Software"
chapter in the Trusted Solaris Administrator's
Procedures manual. Also see the FAQ
about things to watch ou
t for when installing an application with privileges.
Notes:
The steps are written for experienced Trusted Solaris
administrators.
See Trusted Solaris
Administrator's
Procedures if needed for how to assume a role, access the
administrator's tools, change labels, or perform any other activities
you don't know how to do.
Do not use the
quick-install.sh script included with Sun Web
Server
2.1; it does not work without privileges.
The steps use pkgadd(1M), which has
the security attributes it n
eeds to succeed in
the Trusted Solaris environment assigned in the admin role's profile.
When the name of a role, a label, or a
tool precedes a step, assume the specified role at the specified label
and use
the specified tool as shown here:
Role
Label
Tool or Command
admin
ADMIN_LOW
Admin Editor action
Continue working with the same role, label, or tool until instructed to
change.
If the roles or labels at your site have been
reconfigured, use the appropriate locally-defined roles or labels.
Not all features of the Sun web server
software were tested in the multilabel configuration.
The steps assign the net_privaddr
privilege
to each of the single-label web server
instances. net_privaddr enables the web servers
to bind to HTTP port 80, which is a privileged port.
Do not assign the net_mac_read privilege
to a web server when you want to run multiple single-label servers;
when a process with net_mac_read binds
to a port, the port appears to all subsequent processes as a
multi-level port already in use.
(See the priv_desc(4) man page for descriptions of the named
privileges.)
When another host not running Trusted
Solars attempts to access the
Trusted Solaris web server, the access is allowed only at the label
defined for the remote host in the tnrhdb/tnrhtp databases.
If no fallback entry exists, and if neither the remote host nor its
network have an entry, the access is denied.
Procedure: Running the Sun Web Server at
Multiple Labels
If installing from CD-ROM,
allocate the CD-ROM device and allow the device
to be automatically mounted during allocation.
Install the web server packages
using pkgadd(1M).
The following table shows the packages for the Sun Web Server and for
the
browser-based administration tool. See the Inventory
file on the CD-ROM for
descriptions of all the packages.
2
SUNWhtadm
Sun WebServer Administration Package
3
SUNWhtdoc
Sun WebServer Administration Online Help
4
SUNWhtman
Sun WebServer Online Manual Pages
5
SUNWhtsvl
Sun WebServer Servlet Support package
6
SUNWhttp
Sun WebServer daemon and supporting binaries
7
SUNWhttpc
Sun WebServer Configuration
8
SUNWixavm
Solaris for ISPs JMAPI AVM Classes
9
SUNWixklg
Solaris for ISPs KLG Classes
For Sun Web Server, install the basic packages SUNWhttp and SUNWhttpc
before other packages due to dependencies.
If you want to use the browser-based administration tool, install
SUNWixavm and SUNWixklg before the SUNWhtadm package.
This example shows the pathname to the Sun Web Server on the CD-ROM and
the
proper sequence of packages to install for
the web server and for the administration tool along with its supporting
documentation:
$ cd /cdrom/admin/solaris_easy_access_srvr_3_0/ \
products/Sun_WebServer_2.1/sparc/Product $ pkgadd -d .
. . .
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 6 7 8 9 2 3 4 5
Sometimes files are installed whose attributes differ from the defaults,
and
pkgadd refers to them as "conflicting files."
If asked "Do you want to install these conflicting files?" it is
safe to answer yes.
If asked "Construct a server instance?" answer no.
Note: The privileges to
construct a server are not available.
When asked "What name should be used by default to run the Web
Server daemon [root]?,"
press Return to use root.
Note: The privileges to construct a server
are
not available.
secadmin
ADMIN_LOW
setfpriv(1M) or File Manager
Assign all allowed privileges to the executables and the web server
daemon.
For Sun Web Server, assign all allowed privileges to all the
ht*
executables in /usr/lib
and to /usr/lib/httpd as shown in this example:
$ setfpriv -s -a all /usr/bin/ht* /usr/lib/httpd
If you are enabling the browser-based administrative tool, also
assign all allowed privileges to the /usr/http/bin
executables
and the /usr/http/admin_server/cgi-bin files.
$ setfpriv -s -a all /usr/http/bin/* \ /usr/http/admin
_server/cgi-bin/*
secadmin
ADMIN_LOW
Profile Manager
Create a new web server profile on the host where
the web server software is to run.
Select None from the Name Service menu on the Profile
Manager.
In the Host field, type the hostname where the
web server software is to run, if not the current
local host.
Use the Profiles > New Profile ... option to create a new
profile supplying a name of your choice.
The examples in the following steps use newwebserver
for the profile name.
Add the name of the web server command to the Included
list and specify any needed privileges.
For the Sun Web Server, add the
/usr/bin/htserver command
and give it the following privileges:
Add the name of the web server daemon to the Included
list without specifying security attributes.
For the Sun Web Server, add /etc/init.d/httpd.
Save the new profile and quit the Profile Manager.
secadmin
ADMIN_LOW
User Manager
Assign the new profile to the appropriate role.
Note:
Some web servers, like the Sun Web Server, check that the invoking user
has a real UID of root and fail if the server is run by
any other UID. For web servers that fail without a real UID of root,
assign the new profile to the root role.
root
ADMIN_LOW
Admin Editor action
Modify the script that starts the web server daemon
to use the system shell, sysh(1M), and to consult the newly-created
profile.
Replace the shell in the first line
with /sbin/sysh and add a new second
line. On the second line use the system
shell's setprof built-in command
with the name of the new profile.
For Sun Web Server, modify /etc/init.d/httpd.
This example shows the first line of the script replaced with
#!/sbin/sysh
and setprof with the name of the example
newwebserver profile added to the next line.
#!/sbin/sysh setprof newwebserver
root
ADMIN_LOW
mkdir(1)/td>
Make an MLD for the web server data.
For Sun Web Server, make /var/http/servername an
MLD. This example uses the name sunwebserver. Any name will do,
since it is used only internally.
# mkdir -M /var/http/sunwebserver
root or whichever role was assigned the new profile
in step
8.
ADMIN_LOW
any new terminal window
htserver
Bring up a new terminal window (which puts
the profile changes into effect for the role).
Create a web server instance.
For Sun Web Server, run the htserver add servername
com
mand. For servername, use the name of the MLD you created in
step
11.
This example uses the name sunwebserver.
# htserver add sunwebserver
Enable the web server so it starts
when the host reboots.
For Sun Web Server, run the htserver enable
servername command.
For servername, use the name of the MLD you created in
step
11.
This example uses the name sunwebserver.
# htserver enable sunwebserver
root
ADMIN_LOW
rmdir(1)
mkdir(1)
For Sun Web Server, create an MLD for the /var/http/doors
directory.
This example uses the name sunwebserver and assumes
that .SLD.0 is the SLD labeled at ADMIN_LOW.
#
cd /var/http/.MLD.sunwebserver/.SLD.0
Copy files from the MLD at the current label.Note:
Running the tar command as shown in
the example below copies the files into a SLD
at the current working label.
This example uses the name sunwebserver.
# tar cf - . | (cd /var/http/sunwebserver;
tar -xpvf - )
Repeat for all the desired labels.
secadmin
all labels at which the web server is to run
Change Workspace SL options from the Trusted Path
menu
cd(1)
chown(1)
Change the permissions on the SLDs created in the previous step.
Change the secadmin role's workspace SL to the desired label.
Change the owner of the server name directory to adm.
For Sun Web Server, change the owner of
/var/http/servername to adm.
This example shows the name sunwebserver.
$ chown -Rh adm /var/http/sunwebserver
Repeat the previous substeps once for each label used in the previous
step.
root
ADMIN_LOW
ln(1)
Create a hard link to the executable for each of the labels at which
the web server is to run.
For Sun Web Server, create links from /usr/bin/htserver.
This example shows links whose names reflect the labels at which the
server is to run.
the label that corresponds to the name of the link*
*For example, for htserver.conf, both the
Min SL
and Max SL would both be CONFIDENTIAL.
Repeat the previous substep for each of the labels at which the
web server is to run.
root
ADMIN_LOW
Admin Editor action
Open the /etc/init.d web daemon startup file for
editing and modify it to run the new daemons.
For Sun Web Server, modify the /etc/init.d/httpd file, replacing the default
commands with the new multiple
commands in the start and stop sections.
This example shows the default server startup command
$BASEDIR/usr/bin/htserver replaced with the new commands
that are configured to run at multiple labels.
