Re: www server security

• To: www-security@ns1.rutgers.edu
• Subject: Re: www server security
• From: Steve Kotsopoulos <steve@ecf.toronto.edu>
• Date: Wed, 24 Aug 1994 09:02:54 -0400

Alas, the www-security-team doesn't want www-security@ns1.rutgers.edu
to be used to discuss issues such as www server security.

I don't expect they'd like the idea of changing the list name,
but I'm probably not the only person who found it misleading.

When I joined the list, I got the following in the welcome message:
>    "The www-security list is intended for the discussion of World Wide Web
> security proposals, enhancements and issues."

This seemed to be a World Wide Web security issue.
Maybe the welcome message should be modified a bit?

I've posted my queries to comp.infosystems.www.providers and 
comp.security.unix. If you are interested, join the discussion there.

I feel obliged to summarize what I've found out so far to this list.
I'll make it short:

- use Weitse Venema's "chrootuid" program to chroot the httpd server.
  ftp it from svin02.info.win.tue.nl:/pub/security/chrootuid1.2.shar.Z
- Use NCSA server, easier to configure.
- The NCSA server has the benefit of being smaller, with fewer complex
  features for bugs to hide in.
- Should run as uid "nobody", gid "nogroup" (this is set in config file).

Thanks to the following people for their comments and suggestions:

John DiMarco <jdd@cdf.toronto.edu>
"Patrick W. Matlock (DCS)" <pmatlock@usg.uwaterloo.ca>
Ken Shores <kss1376@pop.draper.com>
rosenthl@mcc.com (Doug Rosenthal)

• Previous: Re: GSS API (as a DLL)...
• Next: Administrivia about this list
• Index(es):
  • Index
  • Thread