Educause Security Discussion mailing list archives
Re: WWW Access
From: Graham Toal <gtoal () UTPA EDU>
Date: Tue, 16 Aug 2005 14:12:10 -0500
Kenneth G. Arnold wrote:
How do you handle security for your student web pages, faculty/staff web pages and web pages maintained by your webmaster? Specifically: 1. Are all three types of web pages accessible through the same web server or do you have a separate web server for each group? 2. Do you allow all three groups to create and run cgi scripts or are cgi scripts created only by the webmaster and put into the special cgi-bin directory? We have all three groups running from the same web server and all three groups can create and run cgi scripts. This is a situation with which I am not comfortable. I would like to change it to make it more secure and I am looking for ideas. The ability to create and run a cgi script gives that person and anyone else who knows about it the ability to look at any file on the web server with either permission for other or any file owned by the user running the web server. This ability makes it vary hard to hide important information like passwords to databases. Also all groups can use a telnet or ssh session to look at the files directly if the file permissions allow this access. Making the files you want to hide owned by the web server solves the problem of people looking at the contents of the file through telnet or ssh but also makes it possible for someone to write a cgi script that can read the file or worse write to the file.
You should not *ever* 'hide' passwords to databases simply by virtue of not knowing where the files are or assuming they can't be read by local users. It is a common thing that people create web scripts that allow users to upload information and then the script writes it to a file which is potentially readable over the web, if you only knew the address of it, or could be read by anyone with a logon on the system... and then somehow that hidden URL gets leaked. Yes, you do have a problem with allowing cgi scripts, but this is an even bigger problem - you need to get rid of stored passwords altogether. Unfortunately so many databases are still in the 60's in that regard. I was absolutely shocked when I discovered how many times cleartext passwords were stored in bits of the Oracle suite for example. If you do allow cgis, they really need to be completely sandboxed so that they can only see files belonging to the user whose cgi it is. This may not be easy to arrange. Anyway, to answer your question, I don't see a benefit from separate servers for staff/students/faculty. They should *all* be treated as hostile ;-) The best way is to not have any sensitive data on the server so it doesn't matter too much if it is exploited. If staff want to run cgi's that collect sensitive data, channel them through your computer center who can secure the data properly and don't give anyone except your systems people direct access to those servers. Although when I ran an ISP several years back, the most tedious part of my job was vetting client's cgi's before I installed them :-/ - which was option (2) above. Probably too much work for most establishments. But basically if you are collecting sensitive information on a web server *someone* does have to look at that script with an eye to security. Either your computer center staff or your poor downtrodden info security officer :-) Graham
Current thread:
- WWW Access Kenneth G. Arnold (Aug 16)
- <Possible follow-ups>
- Re: WWW Access John K Lerchey (Aug 16)
- Re: WWW Access clementz.7 (Aug 16)
- Re: WWW Access Minter, Jonathan Bancroft (Aug 16)
- Re: WWW Access Graham Toal (Aug 16)