PASSWORDS
=========

Login username and password are sent in cleartext from the web browser to the
CGI script on the web server. Therefore, it's strongly recommended that you
use an SSL web server (e.g. mod_ssl in Apache) to protect passwords.

Cleartext passwords are NEVER stored anywhere. The client web browser does not
use any cookies. On the server side, the password is cryptographically hashed with
a large, high-quality random secret and the resulting code is stored as a session
identifier. This temporary session identifier is using for RELOGINs.

There is no harm in allowing others to read the session directory on the server,
although to enforce maximum security webfiltd requires mode 0700 on the path.
UNDER NO CIRCUMSTANCES, however, should the permissions on the session directory
allow anyone other than root to create their own files. If an attacker can create
their own session ID in the session directory, they can hijack any user's account.
The mode 0700 check is used to detect this severe misconfiguration.


PRIVILEGE SEPARATION
====================

The webfilt.cgi program, which faces the outside world, runs as the web server's
low privilege account (usually nobody) and NEVER gains additional privileges. The
CGI program never does any file I/O and can therefore be restricted to absolute
minimum privileges. The CGI communicates with webfiltd using sockets only.

webfiltd starts with root privileges, and only uses sockets to communicate with a
local CGI instance (connections are only allowed from the local IP address). inetd
invocation guarantees a predictable process environment for the root daemon. The
daemon requires immediate authentication over the socket, exiting otherwise. After
authenticating, the daemon switches to the logged in user's privileges and root
capabilities are lost for the duration of the session. When files are read and
commands are executed, everything runs under the logged in user's account.

Strictly speaking, the daemon is potentially vulnerable until authentication is
complete as this is the only time it's running with root privileges. This duration
is very short, however, since authentication is required immediately upon connect.

Once a user has logged in, they are allowed to remotely execute certain commands
configured via their own ~/.webfiltrc -- this may pose a risk (depending on how
much you trust your users). However, the logged in user has been authenticated and
only runs commands under their own uid, so this is no more risk than shell login.

Keep in mind that the CGI script is not running commands or reading user's files.
It is sending commands to webfiltd over a socket (e.g. LIST, GET, EXEC) and then
reading the response as webfiltd does the actual file I/O, all under the logged
in user's privileges. Once the session expires, the user must log in again.
