[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-developers] Re: CGI Wrap Errors
- Subject: RE: [cobalt-developers] Re: CGI Wrap Errors
- From: "Brian Bailey" <bbailey@xxxxxxxx>
- Date: Wed May 24 09:50:21 2000
Hey guys,
I work at Global Technologies Group in Arlington, VA and I noticed that you
were discussing security and BSD. Are you looking for a hardware encryption
accelerator, that is IPSec compliant?
If so, see if PowerCrypt from GTGI will work for you. You find out about it
at http://www.powercrypt.com. PowerCrypt is now supported with the latest
release of OpenBSD.
Brian S. Bailey
Global Technologies Group, Inc. (GTGI)
www.gtgi.com
www.powercrypt.com
703-528-0500, ext. 110
703-528-3214 fax
-----Original Message-----
From: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]On Behalf Of
corliss@xxxxxxxxxxxxxxx
Sent: May 24, 2000 12:21 PM
To: cobalt-developers@xxxxxxxxxxxxxxx
Subject: Re: [cobalt-developers] Re: CGI Wrap Errors
On Tue, 23 May 2000, Will DeHaan wrote:
> > Since we're all ranting on security issues, I have a question/issue.
> >
> > The way home directory security is configured by default on the RAQ2 is
a
> > serious joke. Anyone that has telnet access can see files in just about
any
> > other web directory located in /home/sites/.
>
> Ok, so how is this a joke? How else do you serve web data with an
> unpriveleged web server? Public web data is public to shell users too.
>
> I think I'm grossly missing your point here..
No offense, but anyone who's every provided hosting services knows how to
answer that question. It *is* a joke. In the BSD world, we'd do something
like the following:
--All hosting clients belong to one group (users)
--Home directories are set to 0701
--Apache runs as a unique UID/GID
<G> That wasn't hard. Users can no longer access each other's private
space,
and Apache can still serve the public data.
> > I read on this list that
> > changing the default security permissions on the directories disables
quota
> > management. It also can cause problems with getting a bash prompt on
telnet.
>
> Dropping the public executability will break shell and web browsing.
> Changing group or user ownership of files will make the site and user
> quotas ineffective. Some basic unix here folks.. User quotas are based
> by UID, Site quotas are based by GID.
It's also basic Unix to handle that securely.
> > Now, I know for a fact I've already had one user nosing around in other
web
> > site directories.
>
> On the web or in a shell? What does it matter? If a user wants to keep
> sensitive data web accessible, they shouldn't store that data in a web
> accessible location! CGI-wrap will enable them to store such things in
> more restrictive locations such as a subdirectory from the site or user
> home directory.
<G> Never heard of using .htaccess or some other type of authentication to
restrict web content? Not doing much for your users, then.
> > My question is, is there a way to change all these
> > permissions, and make it a default setting for new sites, where other
users
> > with telnet cannot go snooping around reading other users' files?
> >
> > Thanks
> > John Parris
>
> You probably want chroot'd telnet access and don't want to mess with
> file permissions. Has anyone got this working on the RaQs? It can be
> done with a big slew of hard links or with a ~22MB/site penalty for
> copied files, in addition to changing users shell.
This suggestion is an excellent idea for us ultra-paranoid, but can also
lead
to resource management issues. A saner permission scheme would be more
appropriate.
--Arthur Corliss
Programmer/Administrator
Gallant Technologies (http://www.gallanttech.com/)
_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers