[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Re: CGI Wrap Errors

Subject: Re: [cobalt-developers] Re: CGI Wrap Errors
From: corliss@xxxxxxxxxxxxxxx
Date: Wed May 24 09:20:19 2000

On Tue, 23 May 2000, Will DeHaan wrote:

> > Since we're all ranting on security issues, I have a question/issue.
> > 
> > The way home directory security is configured by default on the RAQ2 is a
> > serious joke. Anyone that has telnet access can see files in just about any
> > other web directory located in /home/sites/.
> 
> Ok, so how is this a joke?  How else do you serve web data with an
> unpriveleged web server?  Public web data is public to shell users too.
>
> I think I'm grossly missing your point here..

No offense, but anyone who's every provided hosting services knows how to
answer that question.  It *is* a joke.  In the BSD world, we'd do something
like the following:

	--All hosting clients belong to one group (users)
	--Home directories are set to 0701
	--Apache runs as a unique UID/GID

<G>  That wasn't hard.  Users can no longer access each other's private space,
and Apache can still serve the public data.
 
> > I read on this list that
> > changing the default security permissions on the directories disables quota
> > management. It also can cause problems with getting a bash prompt on telnet.
> 
> Dropping the public executability will break shell and web browsing. 
> Changing group or user ownership of files will make the site and user
> quotas ineffective.  Some basic unix here folks..  User quotas are based
> by UID, Site quotas are based by GID.

It's also basic Unix to handle that securely.

> > Now, I know for a fact I've already had one user nosing around in other web
> > site directories.
> 
> On the web or in a shell?  What does it matter?  If a user wants to keep
> sensitive data web accessible, they shouldn't store that data in a web
> accessible location!  CGI-wrap will enable them to store such things in
> more restrictive locations such as a subdirectory from the site or user
> home directory.

<G>  Never heard of using .htaccess or some other type of authentication to
restrict web content?  Not doing much for your users, then.

> > My question is, is there a way to change all these
> > permissions, and make it a default setting for new sites, where other users
> > with telnet cannot go snooping around reading other users' files?
> > 
> > Thanks
> > John Parris
> 
> You probably want chroot'd telnet access and don't want to mess with
> file permissions.  Has anyone got this working on the RaQs?  It can be
> done with a big slew of hard links or with a ~22MB/site penalty for
> copied files, in addition to changing users shell.

This suggestion is an excellent idea for us ultra-paranoid, but can also lead
to resource management issues.  A saner permission scheme would be more
appropriate.

	--Arthur Corliss
	  Programmer/Administrator
	  Gallant Technologies (http://www.gallanttech.com/)

Follow-Ups:
- RE: [cobalt-developers] Re: CGI Wrap Errors
  - From: Brian Bailey
- Re: [cobalt-developers] Re: CGI Wrap Errors
  - From: Will DeHaan

References:
- Re: [cobalt-developers] Re: CGI Wrap Errors
  - From: Will DeHaan

Prev by Date: RE: [cobalt-developers] Re: CGI Wrap Errors
Next by Date: Re: [cobalt-developers] Re: CGI Wrap Errors
Previous by thread: Re: [cobalt-developers] Re: CGI Wrap Errors
Next by thread: RE: [cobalt-developers] Re: CGI Wrap Errors

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index