[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-developers] Re: CGI Wrap Errors

Subject: Re: [cobalt-developers] Re: CGI Wrap Errors
From: corliss@xxxxxxxxxxxxxxx
Date: Wed May 24 09:28:17 2000

On Tue, 23 May 2000, Chris Adams wrote:

> > :-P  That's why I like BSD boxes better.  I never understood that crap about
> > every user having an unique UID *&* GID.   Buggers.  But you're right, 2775
> > isn't much better.  No isolation at all.
> 
> The per-user group is a(n optional) Red Hat-ism, which Cobalt doesn't
> use.  The do create a group per site, which, along with the set-GID bit
> on directories, is needed if you have multiple site administrators
> (which a lot of our customers have).

It's actually something that was introduced on SysV style systems, and most of
the Linux distributions follow (with the exception of Slackware) by default.
I didn't know what Cobalt uses, because I don't use Cobalt for hosting (and
would never consider it).  We don't allow clients any administrative access to
their accounts, here.  If they want that kind of power, they need to co-lo
their own hardware.  Much safer, and less security concerns on my end.

> > They've set the GID sticky bit on, eh?  Well, why not try 2771?  That should
> > keep the browsers out, but still let the daemons traverse the tree.  Still not
> > as secure as I'd like, since another user could still pull a file out of the
> > other user's space if they know the exact path and name.
> 
> Uh, these are primarily designed as web hosting boxes.  If I know the
> exact path and name, it is typically going to be viewable from the web
> as well.

Only for default files, such as index.html, etc.  If there's content on the
site that isn't directly linked to on those pages, you have some level of
obscurity.  Not the be best security, agreed, but definitely better than what
Cobalt seems to be providing.  I was just making suggestions on how to improve
the situation.

> The Cobalt RaQs are web hosting appliances, after all.  They are NOT
> designed for a general purpose multi-user environment.  If you want to
> use them in that way, expect to have to make changes.

<Sheesh>  Isn't that what I was doing?  Regardless, I still think that for
*any* environment, more care should have been taken in securing the box.
Keeping users isolated from each other is the most basic of administration
issues, and on my machines, something we take seriously.  Which is why I never
use prebuilt boxes like Cobalts on public networks.

	--Arthur Corliss
	  Programmer/Administrator
	  Gallant Technologies (http://www.gallanttech.com/)

References:
- Re: [cobalt-developers] Re: CGI Wrap Errors
  - From: Chris Adams

Prev by Date: Re: [cobalt-developers] Re: CGI Wrap Errors
Next by Date: RE: [cobalt-developers] Re: CGI Wrap Errors
Previous by thread: Re: [cobalt-developers] Re: CGI Wrap Errors
Next by thread: Re: [cobalt-developers] Re: CGI Wrap Errors

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index