{= include("docs.util"); start_docs_page(docs.technical_manual.page_titles.security); =}

Since $PRODUCT_NAME runs as a CGI program or as a web browser, it publishes its interface to any web browser which can reach its server. This is a powerful feature, but also introduces security issues. $PRODUCT_NAME has a number of features which address these issues:

  1. Non-administrative users can access $PRODUCT_NAME through the profilelist (same as administrative users). When a non-administrator is logged in, the profile list only allows users to view reports of profiles; users cannot create, edit, or delete profiles, and they cannot build, update, or modify the database of any profile. The profile list is available at:

      http://www.myhost.com:8988/

    in web server mode, or

      http://www.myhost.com/cgi-bin/$PRODUCT_EXECUTABLE_DOCS

    in CGI mode.

  2. If you wish to take it a step further, and not even present the profiles list to users, you can refer users to the reports for a particular profile:

    http://www.myhost.com/cgi-bin/$(PRODUCT_EXECUTABLE_DOCS).cgi?dp=reports&p=profile&lun=user&lpw=password

    replacing profile with the name of the profile, user with the username, and password with the password (this should all be one one line). Accessing this URL will show the reports for specified profile, after logging in as the specified user using the specified password.

  3. Only authorized administrators (users who know the username and password of a $PRODUCT_NAME administrator, chosen at install time) may create new profiles, and only authorized administrators may modify profiles. Without administrator access, a user cannot create a new profile, modify an existing profile in any way, or perform any other the other tasks available on the administrative interface.

$PRODUCT_NAME also provides detailed control over the file and $lang_stats.directory permissions of the files and $lang_stats.directories it creates; see {=docs_chapter_link('permissions')=}.

{= end_docs_page() =}