[Previous] [Next] [Index]
[Thread]
Re: www server security
At 09:04 AM 8/22/94 -0400, Steve Kotsopoulos wrote:
>I'd like to setup a www server. My primary concern is to preserve
>the security of the system it is running on. I'll probably run my
>server on the standard (reserved) port, so it must run as root.
>
>Any hints/tips on running my www server in a chrooted environment?
>Which httpd server is considered "more secure", CERN's or NCSA's?
>Any gotchas for my platform (SGI Indy, running IRIX 5.2)?
>Any other tips greatly appreciated.
Steve,
I have no idea if this is the right list either. Perhaps the list
maintainers would like to comment on what the bounds are? Meanwhile, it
sounds like a security question to me.
I took a look at the CERN httpd (not a complete one by any means) and it
looked reasonable. If you use the ParentUserID and ParentGroupID it forces the
identity change in the daemon after doing basic setup but before it services
any requests. I wrote some code to add a ParentRoot directive to force a
changeroot just before the ParentUserID code (I submitted it to the CERN folks,
back in June, but haven't heard if they liked it). It's quite short, so
I've attached it. It works on a Sun, and I don't think I did anything that
would prevent it from working on an SGI. This is a diff against 3.0pre6.
I didn't look at the NCSA Daemon, as my application required the proxy
support feature of the CERN daemon. I'd love to hear from someone who has
actually compared both from a security standpoint. The NCSA server has the
benefit of being smaller, with fewer complex features for bugs to hide in.
Ken
Disclaimer: neither myself nor my employers are liable for the above, or for
anything you might do with it. Have a nice day.
CHRT2
-----
Ken Shores, Sr. Network Analyst The Charles Stark Draper Laboratory, Inc.
kss1376@pop.draper.com 555 Technology Square, Cambridge, MA 02139-3563
(617) 258-2529 Mail Stop 33