[258] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (Chuck Yerkes)
Tue Dec 13 17:41:57 1994
From: "Chuck Yerkes" <yerkes_chuck@jpmorgan.com>
Date: Tue, 13 Dec 1994 14:28:31 -0500
In-Reply-To: hharamis@cohesive.com
"Secure W3 Server" (Dec 12, 11:42pm)
To: www-security@ns1.rutgers.edu
Cc: hharamis@cohesive.com
Reply-To: "Chuck Yerkes" <yerkes_chuck@jpmorgan.com>
> Does anybody have an opinion on which public domain w3 server is
> most secure? A lot of people talk about the fact that some of these
> servers are large in size. Sounds to me like the old sendmail problem.
Well, as a sendmail wiz, I have to disagree. It's more like the anonymous ftp
issue. Because the code it complex, I don't trust it. the Web Server needn't
run as root (or bin) and it's needn't see anything outside it's file tree.
This offers a simple solution for the big security issues.
I run it chroot'ed into it's own file system as user "WWW" and group "WWW".
WWW-owner owns all the files. They are readable by the WWW group. Therefore the
server (I like CERN), can't affect files in other parts of the system.
If the server has holes, you can have trouble in the data area - files change,
etc - but this reduces most of my concerns. Oh yeah, I use two partitions,
one is SMALL, readonly, and has the config file, binaries and such. One
that is mounted beneath that is R/W and holds data and logs. I'd rather
use syslog for logging, but haven't done that yet.
chuck yerkes chuck@tpan.com
consultant
