[unisog] creating secure asp/cgi servers

H. Morrow Long morrow.long at yale.edu
Tue Jun 4 11:50:31 GMT 2002


1. You can run the web server to provide a server side execution environment
   inside a 'jail' (basically you chroot() the web server).  You need to set
   up a virtual hierarchy under a directory similar to that used by anonymous
   FTP service ( e.g. a bin/, an etc/, a dev/, a usr/ and other directories
   needed by the web server under the Unix or Linux you are running, populated
   with the device files, shared libraries, data files and programs the web
   server requires to operate in this contained/constrained environment).

   It can be a bit more complex and difficult getting scripts and other CGI
   to run in the chroot()d environment for those who wish you to host their
   code however as they need to put anything they need into their environ
   as well as remember that the root directory (/) for the execution environ
   is actually not the system root directory but is relative to the jail for
   the web server.

2. Normally server side scripts and programs should run as a "harmless" user
   by default anyway, but for those cases where a script needs to open and
   write to data files there is code available for Apache to run CGI setuid
   to the user owning the script/directory executing.

H. Morrow Long
University Information Security Officer
Yale University

Mark Brochu wrote:
> 
> Greetings all,
> Currently we do not offer students the ability to have scripting on their
> web pages for security reasons.  I was wondering how any of you deal with
> this issue.  I thought I heard about wrapping software to prevent poorly
> written scripts from doing any damage.  Any references to some material
> would be greatly appreciated.
> Thanks!
> 
> Mark Brochu
> University of Hartford, ITS
> Data Network Specialist



More information about the unisog mailing list