[263] in WWW Security List Archive
Re: Secure W3 Server
daemon@ATHENA.MIT.EDU (Dorian Deane)
Tue Dec 13 20:23:21 1994
From: dorian@oxygen.house.gov (Dorian Deane)
To: hallam@dxal18.cern.ch
Date: Tue, 13 Dec 1994 16:29:32 -0500 (EST)
Cc: www-security@ns1.rutgers.edu
In-Reply-To: <9412131535.AA16234@dxal18.cern.ch> from "hallam@dxal18.cern.ch" at Dec 14, 94 00:35:18 am
Reply-To: dorian@oxygen.house.gov (Dorian Deane)
> >1. Anything running on a single-tasking machine, such as a Mac running
> >MacOS, is probably more secure than one running on something like Unix,
> >VMS, etc. Even MacOS, however, should be configured minimally-- no
> >telnet, ftp, etc., if at all possible.
>
> Ughh! I very much doubt this statement. MAC/OS is inherently insecure because
> it is a single user O/S with no concept of user identity whatsoever. Window
> for workgroups is marginally better but I would not give it many marks.
User authentication is only important if you want to make decisions
based on who is connecting. If your goal is to provide everyone
equal service, than it really isn't necessary.
I'm quite willing to be enlightened, but that's how I see it at the moment.
> If you want security I would consider VMS or a high quality UNIX (OSF/1,
> IRIX, HUPX). The UNIX servers tend to be more up to date
I can't speak for VMS, but in Unix, you need to be a lot more careful
in how you configure the system. It takes effort to make the Mac
into something capable of real danger. BTW, do w3 servers have the
same popen() problem that gopher servers have? I've looked at gopher
code, but I must admit, I have yet to look at any w3 code.
> In answer to the original question - is there a sendmail type bug? I doubt it.
> Sendmail is dangerous because it runs as root and has a very baddly designed
> configuration language. It is possible to configure a httpd to be insecure but
> you have to work at it :-)
You can run w3 as root on a Unix box (a bad thing). The point being,
again, that you have to know more to run it in a secure fashion on a
more complex OS.
dorian
