Website:System Integration
From MatureAsskickers Wiki
Contents |
System Integration
The application is embedded within the operating system. It does this through its ability to read and modify configuration files, and make system calls with sudo to control various services running on the server. This control is handled automatically and is based on the data that is present in the users and groups. Whenever a user or group is manipulated the application examines the changes and carries out the tasks required to reflect these changes in these services immediately. There is no way to change the core behaviour of these tasks and all data is strictly validated and maintained internally to prevent any unwanted or unwarranted behaviour.
Smarty
“One of Smartys primary design goals is to facilitate the separation of application code from presentation. Typically, the application code contains the business logic of your application, written and maintained in PHP code.” - Why use it?, [1]
The XML utilizes the Smarty [2] templating and caching. The templates can be individually customized to produce different variations of XML output for each table. The cache automatically stores a full serialized output from the MySQL queries requesting data to populate the XML templates. This cache is created from a full output with no permission restrictions and permissions are only applied to the cached output when it is used to populate the XML template afterwards which reduces the number of different copies of data being stored on the filesystem because of the different possible permission variations. Whenever data is modified the respective cache(s) are deleted immediately so the application only produces the most recent data in the XML output(s). This reduces the load on the MySQL server significantly because the dynamic data is relatively static for the majority of its lifetime.
Sendmail
The application automatically generates the Sendmail [3] aliases (addresses) file(s) from the user, group, and groupusers (usergroups). It also instructs Sendmail to (re)load these files whenever change(s) are made. In order to have a user(s) on the alias list, they must have a valid email address, a valid useralias, and the user must not be expired. In order to have a group(s) on the alias list, it must have at least one groupuser (usergroup), a valid groupalias, and the group must not be expired.
A user without a valid useralias will still receive aliased email to a group if they still have a valid email and are a groupuser (usergroup).
Each user can only have one useralias. If more than one Sendmail alias is needed add a new group with the second alias as a groupalias, then add that user to that group.
Filesystem
The application handles files differently than with the other tables. It does not store its table relationship with the file(s) using a unique id, but rather the file(s) inode and md5sum are stored instead. Inodes do not change if the file is moved to a different path on the same partition. This allows the files to be maintained (moved, renamed, backup and restore) on the filesystem through any means (shell, FTP etc.) without breaking the file(s) relationship to the applications data. However if the file(s) are moved to a different partition the inode will change, at which time the application will automatically failover to the file(s) md5sum instead. This allows the applications relationship to naturally replicate itself for identical files. For example, if comments are added to a specific file and afterwards an exact copy of this file is uploaded all of the comments will naturally replicate themselves for each identical copy (md5sum). Due to this failover no file should be moved to a different partition and then modified or the application will not be able to track its relationship and all internal links (comments etc.) will get lost.
HTTP
The application handles HTTP authentication automatically if a .htaccess file is present in the current directory [1]. It uses apaches' [4] mod_auth_mysql [5] to syncronize the users and groups with HTTP authentication in real-time.
Authentication
When a .htaccess file specifies HTTP authentication, the session will be presented with the standard HTTP authentication prompt requesting them to enter their username and password. Assuming they are non-expired user or [5] a user in a non-expired group, they only need to provide their own username and password. Their forum username and password (if applicable) are not accepted here. Recruits are also not accepted here.
.htaccess
HTTP authentication is not automatically enforced. Authentication is only enforced if a .htaccess [1][3][4] file is within the current directory. A .htaccess file can be added manually whenever possible (shell only) but this does not allow the application to control the users or [5] groups permitted to access the directory, especially whenever the user and/or group data changes. In these cases a .htaccess.tpl file can be used to both personally customize the behaviour of the directory while also lending the application control over the user or [5] group access list.
See Apache's documentation on htaccess files [6].
The .htaccess.tpl file [2][3][4] is a Smarty template which is parsed and used to generate a .htaccess file whenever the directory is viewed or an XML representation is requested. The following Smarty variables are available for use within the .htaccess.tpl template.
- validusers (array) An array of users that have either the current directory or a parent directory in its ftpchroot.
- validgroup (array) An array of groups that have either the current directory or a parent directory in its ftpchroot field.
- timestamp (string) A timestamp of when this .htaccess.tpl template was used to generate the .htaccess file.
- path (string) The current working relative path. For use with mod_rewrite [7].
- template (string) The template used to generate this file with the full 'realpath' (symlinks are translated).
Sample .htaccess.tpl
{*
YOU CAN IGNORE THE FOLLOWING WARNING
THIS _IS_ THE FILE YOU NEED TO EDIT ;)
WHEN CREATING AN ALTERNATE TEMPLATE KEEP THESE REMARKS INTACT.
Templates are searched for using the following precedence:
first search for template in local folder './.htaccess.tpl'
search parent '../.haccess.tpl'
search parents parent '../../.haccess.tpl'
and so on until...
search 'DOCUMENT_ROOT/.htaccess.tpl'
finally search 'SMARTY_TEMPLATE_DIR/htaccess.tpl'
Note: The htaccess templates within DOCUMENT_ROOT are named '.htaccess.tpl'.
The htaccess template within SMARTY_TEMPLATE_DIR is named 'htaccess.tpl'.
Smarty Variables:
(array) validusers
(array) validgroups
(string) timestamp
(string) directory // the current full path
(string) path // the current virtual path
(string) template // the path/to/file.ext of this template
Note: Wrap '{', '}' with '{literal}', '{/literal}' to escape Smarty parsing.
*}
# ---------------------
# DO NOT EDIT THIS FILE
# This file is automatically generated from a smarty template.
# To modify this file edit the template instead.
# Template: {$template}
# Generated: {$timestamp}
# Directory: {$directory}
# Virtual Path: {$path}
# ---------------------
{* AUTHENTICATION - mod_auth_mysql
IMPORTANT: DO NOT enable both 'require user' AND 'require group'.
They walk over each other and they do not combine properly.
Use one or the other, but never both, even with 'satisy all'.
*}
{if $validusers}
require user {foreach from=$validusers item=validuser}"{$validuser}" {/foreach}
{elseif $validgroups}
require group {foreach from=$validgroups item=validgroup}{$validgroup} {/foreach}
{else}
require user valid-user
{/if}
{* INDEXING *}
Options +Indexes
IndexOptions FancyIndexing FoldersFirst SuppressDescription IconWidth=20
DirectoryIndex index.html index.htm
# IndexIgnore header.html footer.html
# HeaderName header.html
# ReadmeName footer.html
{* AVOID 500 ERROR *}
AddDefaultCharset utf-8
{* ERROR CONTROL *}
# ErrorDocument 403 /forbidden.html
ErrorDocument 404 /
# ErrorDocument 500 /servererror.html
{* REDIRECT *}
# Redirect oldpage.html http://domain.com/
# Redirect /olddir http://domain.com/
{* BLOCK IP's *}
<limit GET POST PUT>
order deny,allow
deny from 127.0.0.1
allow from all
</limit>
{* PREVENT IMAGE HOTLINKING *}
RewriteEngine on
RewriteCond %{literal}{HTTP_REFERER}{/literal} !^$
RewriteCond %{literal}{HTTP_REFERER}{/literal} !^http://(www\.)?domain.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png)$ - [F]
{* REMOVE PHP/CGI HANDLING *}
RemoveHandler .cgi .php
RemoveType .cgi .php
There are some important behaviours of the application to considder when deciding which directories require a .htaccess file.
- [1] The application will NOT attempt to (re)generate a .htaccess file if there is NOT a .htaccess AND NOT a .htaccess.tpl file(s) in the current directory. If either IS present Smarty will (re)generate the .htaccess file.
- [2] If a .htaccess file is NOT present but a .htaccess.tpl file IS present in the current directory, Smarty will generate a new .htaccess file.
- [3] If a .htaccess file IS present but a .htaccess.tpl file is NOT present in the current directory it will recursively search parent directories until the first .htacess.tpl file is found and Smarty will use that as it's template to regenerate the .htaccess file in the current directory. This may seems pointless since HTTP authentication is naturally inherited through child directories, but keep in mind that the permissions may change depending on the user ftpchroot and group ftpchroot and/or the requirements for special .htaccess rules such as mod_rewrite [8] in certain directories.
- [4] If a .htaccess file is present but the .htaccess.tpl file is NOT present in the current directory AND NOT in any of the parent directories it will use the default htaccess.tpl file in the global Smarty template directory to regenerate the .htaccess file in the current directory.
- [5] In a .htaccess file require user and require group cannot be used together. Doing so does not create either an AND or an OR condition, it breaks the authentication completely. Even with satisfy any. Only one or the other should be used. Take notice to the if, elseif condition in the sample template above.
- [7] In a .htaccess.tpl file when using curly-Q brackets { } in the .htaccess.tpl, they need to be escaped with Smarty literal tags {literal}...{/literal}. This will probably be required when using mod_rewrite [9].
FTP
The application handles FTP authentication automatically. The FTP server is the pureftpd [10] daemon that syncronizes its authentication with the user(s) and group(s) in real-time. FTP grants full read and write access with no quotas in order for users to manage files. If only read access is needed used HTTP access instead.
Authentication
When authenticating with the server the user can either authenticate as a user, or a group user (user group).
Users
- Authenticating with FTP as a user requires the user to be non-expired, have the ftp.user permission, and have a ftpchroot value that resides within the jail directory defined in the configuration file.
- The ftp.user permission is ignored in the group grouppermissions and usergroups usergroupermissions.
- Users authenticating with FTP need to enter their personal username and password. Their forum username and password (if applicable) are not accepted here. Recruits are also not accepted here.
- Once authenticated they are ftpchroot jailed in the users ftpchroot directory and have full read and write access with no quotas.
Group Users
- Authentication with FTP as a groupuser (usergroup) requires the user to be non-expired, the group to be non-expired, have the ftp.group permission in either the userpermissions, grouppermissions, or usergrouppermissions field, and have a ftpchroot value that resides within the jail directory defined in the configuration file.
- When authenticating with FTP the user needs to enter their username with the groupname in dot notation 'username.groupname' along with their password. Their forum username and password (if applicable) are not accepted here. Recruits are also not accepted here.
- Once authenticated they are ftpchroot jailed in the groups ftpchroot directory and have full read and write access with no quotas.
