Hi Mike,
> Where/how do I put a .htaccess file to limit access to Admin/Site
> administrator of the main server and specific site/s? (something similar
> to /etc/hosts.allow and hosts.deny to filter ssh services, etc.) Does
> anyone here do something similar but with different methods?
That is not necessary on BlueQuartz. The GUI handles this already by itself
and all GUI pages have checks in them to make sure that they only are
accessible by users with the right privileges.
Users must exist in the PAM database (or must be identifyable through PAM) and
must be recorded in CODB to be able to use the GUI. The level of access a
user may have is stored in CODB for each users and privilege levels are
defined through grantable "capabilities".
Typical grantable capabilities on a BlueQuartz are:
modifyEmail
modifySnmp
modifyFtp
modifyServerSWUpdate
destroySWUpdateServer
destroyPackage
createPackage
modifyTelnet
siteAdmin
modifyAsp
modifyPackage
modifyArkeia
modifySystemTime
modifyNetBackup
siteFrontpage
modifyHttpd
adminBlueLinq
ipPooling
controlPower
scanDetection
siteAnonFTP
createSWUpdateServer
serverBackup
dnsAdmin
siteSSL
systemMonitor
modifyDNS
webServices
adminUser
overflow
networkServices
modifyJava
modifyNetWorker
modifySWUpdateServer
siteShell
serverConfig
On BlueQuartz you have up to four levels of privilege groups, or users of four
different privilege classes:
Regular user: Has only access to "Personal Profile" to modify his email
settings (forwarder, auto-responder), password and GUI settings.
SiteAdmin: Has access to the user management of his site, can access his sites
settings read only, has access to the statistics of his site and may
(optionally) modify the DNS records of his site.
Extra-Admin: May manage the server with (almost) equal privileges to
user "admin". Can be granted the power to reboot, to allocate IPs and may
have optional "root" shell access.
Admin: Can use any feature of the GUI and can use "root" shell access without
jumping through loops.
Based on which privilege class a user belongs to the more "capabilities" from
the above list he has. Admin has access to all capabilities, Extra-Admin has
almost all, siteAdmin's have a few (but are restricted to the site they
belong to) and a regular user has the least.
The powers of regular users and siteAdmins are quite limited and the GUI is
very resilent to not disclose information to users which they're not supposed
to see. So a user cannot access stuff of other users and siteAdmins can see
only stuff of their own site, but not that of any other site or of any user
not belonging to their site.
--
With best regards,
Michael Stauber