New York University Faculty of Arts and Science College of Arts and Science Graduate School of Arts and Science

The Web @ Courant

Setting up a web page


Web Hosting Policy

All users are responsible for the content of their site. If a user allows for community based content to be posted, the person running this site is responsible for monitoring ALL data and securing their site (this includes any upload scripts, wikis, blogs, bulletin boards, etc.) We recommend that all uploaded content be posted only after review and that submission of data be restricted to valid users. If inappropriate material is found or reported on your site any users who are responsible for this acount are subject to disciplinary action including losing web priveleges.


Secure Computing Policy

Any web based script that allows posting of data and then utilizes this data in some form has a potential for a security violation. Please be completely aware of the security implications before allowing this. Some things to consider when allowing posting of data: SQL or parsing injection, spam, malicious/inappropriate content, and account/data compromises. Many of these may even have legal implications and should be considered appropriately.


Setting up a homepage at Courant

Creating a web directory

You can set up a web page by simply placing it under the directory /web/$USER (where $USER is your CIMS username). If you have access to another document hierarchy, such as a research group or administrative page, the same instructions apply except for the directory path.

All filesystems are mounted on all the webservers and the webservers are configured to treat a user's /web directory as if it were part of the document hierarchy.
Note: HTML files outside your /web hierarchy will not be accessible via the web server.

The minimum permissions of your /web directory should be as follows:

chmod 711 /web/$USER
chmod 644 /web/$USER/index.html

PHP programming

Warning: Any scripts that use variables passed to them have potential for security exploits. Please be aware of the security implications and realize that web based scripts run as your user and can compromise your account. This is especially so with non-restricted upload scripts!

Courant supports PHP scripting in your /web directory. Any file that ends with .php will be interpreted as a PHP script file. Please see PHP's official page for further documentation.

Error reporting is disabled by default, for security reasons, but can enabled with the following lines:

ini_set('display_errors', true); ini_set('display_startup_errors', true); error_reporting(E_ALL);


This will only report programming errors, not syntax errors. To detect syntax errors, run "php filename.php" on any Linux server.

 

CGI programming

Warning: Any scripts that use variables passed to them have potential for security exploits. Please be aware of the security implications and realize that web based scripts run as your user and can compromise your account. This is especially so with non-restricted upload scripts!

Cgi-bin access is provided via 2 possible mechanisms both of which check cgi scripts for possible security holes. The first is Apache's suexec, the second is cgiwrap. Since these methods differ somewhat, it is possible that a script denied by one will be accepted by the other. Needless to say, your scripts should, ideally, work with both. If a script stops working with one method, try the other. It may be that a security hole was reported in the method that you were using that forced us to disable it until a patched version could be put in place.

Place your scripts in /web/$USER//cgi-bin (subdirectories are allowed). If the directory doesn't exist, create it by running:

  • mkdir /web/$USER/cgi-bin

Set the permissions for your cgi-bin directory and scripts as follows (making scripts world writable will disable the script due to security implications):

  • chmod 711 /web/$USER/cgi-bin
  • chmod 755 /web/$USER/cgi-bin/sample-script.cgi

The URL for a CGI program using cgiwrap is:

  • http://server/cgi-bin/cgiwrap/~username/sample-script.cgi

The URL for a CGI program using suexec is:

  • http://server/~username/cgi-bin/sample-script.cgi

Here is a sample-script.cgi file for an example (copy the content and paste into sample-script.cgi in your cgi-bin directory):

#!/usr/local/bin/perl -wT
print "Content-type: text/html\n\n";
print "<html><head><title>Hello World</title></head>\n";
print "<body>\n";
print "<h2>Hello, world!</h2>\n";
print "</body></html>\n";

Restricting Access

Restricting access can be based on nyu netids, cims usernames, domains, etc. This can be done by adding the appropriate directives to an .htaccess file in the directory to be restricted.

Being included on a list

To have a link to your homepage included on one of web pages maintained by the Institute, please  see that page for how to apply for such a link.

Obtaining logs of your web hits

To obtain logs of your web hits simply do the following:

  1. Create a file called .dolog in your /web directory that contains a one line entry specifying the web server you would like the logs for. Valid entries are: math, cs, cims, cs1, i6
    note: you may only include one webserver.
  2. Create a directory called logs in your /web directory.

The logs will be updated in the early morning hours on a nightly basis. You can view them in your browser by using the following URL, http://webserver_name/~username/logs.

Listing Directory Contents

The listing of directory contents for directories without an index.html is not generally enabled. It is however, enabled for all public_html directories as well as some others. For the contents of a directory to be listed, the permissions on that directory have to be somewhat different from those directories containing an index.html. The correct permissions are...

chmod 755 /web/$USER/somedirectory

It is best to enable this for chosen subdirectories under your /web directory to avoid inadvertently listing the contents of your /web directory.

In addition, you may have to add a .htaccess file to the directory, consisting of the following:

Options +Indexes

 


Composing a Webpage in Linux

  1. Set the minimal permissions of the /webdirectory by executing the following commands:
      • chmod 711 /web/$USER
  2.  To create an .html file, open a Mozilla SeaMonkey browser. Under the Window tab, select Composer. A blank page will be shown and it is here that you will design your webpage. When satisfied, save the .html file to the /web/$USER folder in your home directory. In order for your webpage to be viewable by other users, you will need to change the permissions of the file you just created. Open a Terminal and execute the following command:
    • chmod 644 /web/$USER/YOUR_HTML_FILE

Your page should be accessible by entering the URL

http://SERVER/~USER_NAME/YOUR_HTML_FILE.html

where SERVER is one of cims.nyu.edu, cs.nyu.edu, i6.cims.nyu.edu; USER_NAME is your account login; and YOUR_HTML_FILE is the .html file you just created.

Note: Any files that are implemented in your .html files (i.e. image files, etc.) must be stored in your /web folder and have their permissions set using the chmod 644 command listed above.


Composing a Webpage in Windows

  1. To create an .html file, open a Seamonkey browser. Under the Window tab, Select Composer. A blank page will be shown and it is here that you design your webpage. When Satisfied, save the .html file to the \\sam.cims.nyu.edu\web
  2. In order for your webpage (.html file) to be viewable by other users, you will need to change the permissions of the file you just created. To do so, open your \\sam.cims.nyu.edu\webfolder and:
    • Right-click the .html file and Select Properties.
    • Click the Security tab.
    • Click Everyone. Check the "Read and Execute" and "Read" boxes.
    • Now Click your user name. Check the "Full Control" box. Then Click Apply.

Your page should be accessible by entering the UR: http://SERVER/~USER_NAME/YOUR_HTML_FILE.html

where SERVER is one of cims.nyu.edu, cs.nyu.edu, i6.cims.nyu.edu; USER_NAME is your account login; and YOUR_HTML_FILE is the .html file you just created.

Note: Any files that are implemented in your .html files (i.e. image files, etc.) must be stored in your public_html folder and have their permissions set per the instruction above for .html files.

Note: If you are using an IDE for composing web pages such as dreamweaver and you are uploading your pages through dreamweaver, you will need to update permissions to the files once they get on our servers. Otherwise you could run the following command:

setfacl -r -m \
default:user::rwx,default:group::---,default:other:r-x public_html

This will set the default ACL and ignore umask settings in your public_html directory heirarchy.


Creating a MySQL Database

Warning: If allowing web-based content to a MySQL database, always be aware of the SQL Injection exploits that are possible.

Please see here for documentation on Courant's database service.

If you are running a database on courses1, you may need to refer to this page. If you would like to migrate from a courses1 database to the new hosted system, please see this page.