[Previous] [Next] [Index]
[Thread]
Re: www server security
Alas, the www-security-team doesn't want www-security@ns1.rutgers.edu
to be used to discuss issues such as www server security.
I don't expect they'd like the idea of changing the list name,
but I'm probably not the only person who found it misleading.
When I joined the list, I got the following in the welcome message:
> "The www-security list is intended for the discussion of World Wide Web
> security proposals, enhancements and issues."
This seemed to be a World Wide Web security issue.
Maybe the welcome message should be modified a bit?
I've posted my queries to comp.infosystems.www.providers and
comp.security.unix. If you are interested, join the discussion there.
I feel obliged to summarize what I've found out so far to this list.
I'll make it short:
- use Weitse Venema's "chrootuid" program to chroot the httpd server.
ftp it from svin02.info.win.tue.nl:/pub/security/chrootuid1.2.shar.Z
- Use NCSA server, easier to configure.
- The NCSA server has the benefit of being smaller, with fewer complex
features for bugs to hide in.
- Should run as uid "nobody", gid "nogroup" (this is set in config file).
Thanks to the following people for their comments and suggestions:
John DiMarco <jdd@cdf.toronto.edu>
"Patrick W. Matlock (DCS)" <pmatlock@usg.uwaterloo.ca>
Ken Shores <kss1376@pop.draper.com>
rosenthl@mcc.com (Doug Rosenthal)