Security

Since Sawmill runs as a CGI program or as a web browser, it publishes its interface to any web browser which can reach its server. This is a powerful feature, but also introduces security issues. Sawmill has a number of features which address these issues:

Non-administrative users can access Sawmill through the profilelist (same as administrative users). When a non-administrator is logged in, the profile list only allows users to view reports of profiles; users cannot create, edit, or delete profiles, and they cannot build, update, or modify the database of any profile. The profile list is available at:
```
  http://www.myhost.com:8988/
```
in web server mode, or
```
  http://www.myhost.com/cgi-bin/sawmill
```
in CGI mode.
If you wish to take it a step further, and not even present the profiles list to users, you can refer users to the reports for a particular profile:
```
http://www.myhost.com/cgi-bin/sawmill.cgi?dp=reports&p=profile&lun=user&lpw=password
```
replacing profile with the name of the profile, user with the username, and password with the password (this should all be one one line). Accessing this URL will show the reports for specified profile, after logging in as the specified user using the specified password.
Only authorized administrators (users who know the username and password of a Sawmill administrator, chosen at install time) may create new profiles, and only authorized administrators may modify profiles. Without administrator access, a user cannot create a new profile, modify an existing profile in any way, or perform any other the other tasks available on the administrative interface.

Sawmill also provides detailed control over the file and directory permissions of the files and directories it creates; see File/Directory Permissions.