[30821] in North American Network Operators' Group
Re: ARIN Policy on IP-based Web Hosting
daemon@ATHENA.MIT.EDU (Alec H. Peterson)
Thu Aug 31 14:01:27 2000
Message-ID: <39AE9C2B.A6984FAE@hilander.com>
Date: Thu, 31 Aug 2000 11:55:55 -0600
From: "Alec H. Peterson" <ahp@hilander.com>
MIME-Version: 1.0
To: "John A. Tamplin" <jat@liveonthenet.com>
Cc: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
"John A. Tamplin" wrote:
>
> Well, if the policy is that you have to use name-based hosting everywhere
> feasible and do something different for those customers that need
> something different, that can be quite a hardship on existing setups.
> For example, re-engineering all the tools to create and maintain vdom
> services, changing existing customer setups, etc. It is certainly easier
> to treat all hosting customers alike, rather than have completely
> separate setups and then have to change a customer from one to the other
> when they add or delete services (including downtime).
That was also brought up at the meeting, however it was generally agreed
that the address savings were worth the work.
>
> Another issue nobody has mentioned is security between virtual servers.
> Under name-based hosting, they all run as the same user-id and thus to get
> the same security you have with separate IP-based servers you have to put
> all the access conrol checks in all the tools that can be used. This can be
> hard if not impossible to do when you allow full shell access to the files
> used by the server.
Not if you chroot() the user into their file space. That may not be ideal,
but there are ways to deal with it.
Alec
--
Alec H. Peterson - ahp@hilander.com
Staff Scientist
CenterGate Research Group - http://www.centergate.com
"Technology so advanced, even _we_ don't understand it!"
