New York University Faculty of Arts and Science College of Arts and Science Graduate School of Arts and Science

The Web @ Courant

Setting up a web page


Web Hosting Policy

All users are responsible for the content of their site. If a user allows for community based content to be posted, the person running this site is responsible for monitoring ALL data and securing their site (this includes any upload scripts, wikis, blogs, bulletin boards, etc.) We recommend that all uploaded content be posted only after review and that submission of data be restricted to valid users. If inappropriate material is found or reported on your site any users who are responsible for this acount are subject to disciplinary action including losing web priveleges.


Secure Computing Policy

Any web based script that allows posting of data and then utilizes this data in some form has a potential for a security violation. Please be completely aware of the security implications before allowing this. Some things to consider when allowing posting of data: SQL or parsing injection, spam, malicious/inappropriate content, and account/data compromises. Many of these may even have legal implications and should be considered appropriately.


Setting up a homepage at Courant

Creating a web directory

All users can set up a web page by simply creating a subdirectory called public_html in the top level of their home directory into which they can place their manually created HTML files. If you have access to another document hierarchy, such as a research group or administrative page, the same instructions apply except for the directory path.

All filesystems are mounted on all the webservers and the webservers are configured to treat a user's public_html directory as if it were part of the document hierarchy.
Note: HTML files outside your public_html hierarchy will not be accessible via the web server.

The minimum permissions of your public_html directory should be as follows:

chmod 701 $HOME
chmod 701 $HOME/public_html
chmod 604 $HOME/public_html/index.html

PHP programming

Warning: Any scripts that use variables passed to them have potential for security exploits. Please be aware of the security implications and realize that web based scripts run as your user and can compromise your account. This is especially so with non-restricted upload scripts!

Courant supports PHP scripting in your public_html directory. Any file that ends with .php will be interpreted as a PHP script file. Please see PHP's official page for further documentation.

Error reporting is disabled by default, for security reasons, but can enabled with the following lines:

ini_set('display_errors', true);
ini_set('display_startup_errors', true);
error_reporting(E_ALL);


This will only report programming errors, not syntax errors. To detect syntax errors, run "php filename.php" on any Linux server.

 

CGI programming

Warning: Any scripts that use variables passed to them have potential for security exploits. Please be aware of the security implications and realize that web based scripts run as your user and can compromise your account. This is especially so with non-restricted upload scripts!

Cgi-bin access is provided via 2 possible mechanisms both of which check cgi scripts for possible security holes. The first is Apache's suexec, the second is cgiwrap. Since these methods differ somewhat, it is possible that a script denied by one will be accepted by the other. Needless to say, your scripts should, ideally, work with both. If a script stops working with one method, try the other. It may be that a security hole was reported in the method that you were using that forced us to disable it until a patched version could be put in place.

Place your scripts in ~/public_html/cgi-bin (subdirectories are allowed). If the directory doesn't exist, create it by running:

  • mkdir $HOME/public_html/cgi-bin

Set the permissions for your cgi-bin directory and scripts as follows (making scripts world writable will disable the script due to security implications):

  • chmod 701 $HOME/public_html/cgi-bin
  • chmod 705 $HOME/public_html/cgi-bin/sample-script.cgi

The URL for a CGI program using cgiwrap is:

  • http://server/cgi-bin/cgiwrap/~username/sample-script.cgi

The URL for a CGI program using suexec is:

  • http://server/~username/cgi-bin/sample-script.cgi

Here is a sample-script.cgi file for an example (copy the content and paste into sample-script.cgi in your cgi-bin directory):

#!/usr/local/bin/perl -wT
print "Content-type: text/html\n\n";
print "<html><head><title>Hello World</title></head>\n";
print "<body>\n";
print "<h2>Hello, world!</h2>\n";
print "</body></html>\n";

Restricting Access

Restricting access can be based on nyu netids, cims usernames, domains, etc. This can be done by adding the appropriate directives to an .htaccess file in the directory to be restricted.

Being included on a list

To have a link to your homepage included on one of web pages maintained by the Institute, please  see that page for how to apply for such a link.

Obtaining logs of your web hits

To obtain logs of your web hits simply do the following:

  1. Create a file called .dolog in your public_html directory that contains a one line entry specifying the web server you would like the logs for. Valid entries are: math, cs, cims, cs1, i6
    note: you may only include one webserver.
  2. Create a directory called logs in your public_html directory.

The logs will be updated in the early morning hours on a nightly basis. You can view them in your browser by using the following URL, http://webserver_name/~username/logs.

Listing Directory Contents

The listing of directory contents for directories without an index.html is not generally enabled. It is however, enabled for all public_html directories as well as some others. For the contents of a directory to be listed, the permissions on that directory have to be somewhat different from those directories containing an index.html. The correct permissions are...

chmod 705 $HOME/public_html/somedirectory

It is best to enable this for chosen subdirectories under your public_html directory to avoid inadvertently listing the contents of your public_html directory.

In addition, you may have to add a .htaccess file to the directory, consisting of the following:

Options +Indexes

 


Composing a Webpage in Linux

  1. Create a folder in the top level of your home directory and name it public_html. Store all files you wish accessible through the web here.
  2. Set the minimal permissions of the public_htmlfolder by executing the following commands:
      • chmod 701 $HOME
      • .html file, open a Mozilla SeaMonkey browser. Under the Window tab, select Composer. A blank page will be shown and it is here that you will design your webpage. When satisfied, save the .html file to the
    public_html
      folder in your home directory.
    • In order for your webpage to be viewable by other users, you will need to change the permissions of the file you just created. Open a Terminal and execute the following command:
      chmod 604 $HOME/public_html/YOUR_HTML_FILE

Your page should be accessible by entering the URL


http://SERVER/~USER_NAME/YOUR_HTML_FILE.html

where SERVER is one of cims.nyu.edu, cs.nyu.edu, i6.cims.nyu.edu; USER_NAME is your account login; and YOUR_HTML_FILE is the .html file you just created.

Note: Any files that are implemented in your .html files (i.e. image files, etc.) must be stored in your public_html folder and have their permissions set using the chmod 604 command listed above.


Composing a Webpage in Windows

  1. Create a folder in the top level of your home directory (the Z: Drive) and name it public_html. Store all files you wish accessible through the web here.
  2. Set the minimal permissions of both your Z: Drive and your public_htmlfolder by following these directions, once completely for each:
      • Right-click the icon (either your Z: Drive or the public_html folder).>
      • Click the Advanced button
      • Select your user name, then Click Edit. Under Allow, Check the "Full Control" box. Then Click OK.
      • Next, Select Everyone, and Click Edit. Under Allow, Check the "Traverse folder / Execute File" and "Read Permissions" boxes. Then Click OK.
    NOTE: If you do not set the permissions as above for both your Z: Drive and your public_html folder, your webpage will not be viewable on the web.
  3. To create an .html file, open a Netscape7 browser. Under the Window tab, Select Composer. A blank page will be shown and it is here that you design your webpage. When Satisfied, save the .html file to the public_html folder in your home directory.
  4. In order for your webpage (.html file) to be viewable by other users, you will need to change the permissions of the file you just created. To do so, open your public_htmlfolder and:
    • Right-click the .html file and Select Properties.
    • Click the Security tab.
    • Click Everyone. Check the "Read and Execute" and "Read" boxes.
    • Now Click your user name. Check the "Full Control" box. Then Click Apply.

Your page should be accessible by entering the UR: http://SERVER/~USER_NAME/YOUR_HTML_FILE.html

where SERVER is one of cims.nyu.edu, cs.nyu.edu, i6.cims.nyu.edu; USER_NAME is your account login; and YOUR_HTML_FILE is the .html file you just created.

Note: Any files that are implemented in your .html files (i.e. image files, etc.) must be stored in your public_html folder and have their permissions set per the instruction above for .html files.

Note: If you are using an IDE for composing web pages such as dreamweaver and you are uploading your pages through dreamweaver, you will need to update permissions to the files once they get on our servers. Otherwise you could run the following command:

setfacl -r -m \
default:user::rwx,default:group::---,default:other:r-x public_html

This will set the default ACL and ignore umask settings in your public_html directory heirarchy.


Creating a MySQL Database

Warning: If allowing web-based content to a MySQL database, always be aware of the SQL Injection exploits that are possible.

Please see here for documentation on Courant's database service.

If you are running a database on courses1, you may need to refer to this page. If you would like to migrate from a courses1 database to the new hosted system, please see this page.