In fact, I would like to see something similar to what you sent, but that
would only apply to mod_perl (or any other way toe xecute perl scripts in
apache) since I am also using other languages, databases, etc that would be
somewhat harder to isntall with such a comparmentization.
I am currently taking a look at the safe perl module to see if it can do the
job for me.
I had someone mention ressource restricting modules, especially for the
amount of cpu, ram and time of execution used. Anyone can direct me
specifically to any of theses (or all of them)? I can't seem to find one
that is completed and working well.
Please keep in mind that security and optimization are the top 2 priorities
in this adventure :)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Félix C.Courtemanche . Head Designer
Co-Administrator . Can-Host Networks
http://www.can-host.com
[EMAIL PROTECTED]
-----Message d'origine-----
De : Jonathan Leto <[EMAIL PROTECTED]>
À : Félix C.Courtemanche <[EMAIL PROTECTED]>
Cc : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : 6 septembre, 2000 03:05
Objet : Re: mod_perl security on a shared web server
>
>I would suggest www.freevsd.org, because what you need is complete
>compartmentalization.
>
>
>
> F?lix C.Courtemanche ([EMAIL PROTECTED]) was saying:
>
>> Hello,
>>
>> I couldn't find any occurance of this question in the archives, but if it
>> does exists, please forward me to it.
>>
>> I have been working on a set of Administration Tools for commercial web
>> hosting companies for quite some times. Lately I have been trying to
figure
>> out the MOST secure way to host multiple accounts on the same server,
with
>> mod_perl enabled AS FAST AS POSSIBLE.
>>
>> In the best world, I would have the possibility of:
>> - Restricting the opened files by any .pl script to the user's base
>> directory.
>> - Allowing custom shell commands or not
>> - Setting a maximum execution time for a script
>>
>> The first directive would be used to prevent anyone from reading the
source
>> of another program, wich would allow someone to grab the sensitive data
>> stored in configuration files, such as Database Passwords, etc. It is
the
>> MOST important of all and I really must find a solution. I previously
saw
>> some perl wrapper that would only allow files owned by the script's owner
to
>> be read. However, that wrapper greatly reduced the execution speed of
.pl
>> and it was not that effective. Any suggestions?
>>
>> The second directive would allow me to specify wether or not a user can
run
>> commands that would be passed as shell OR specify what paths are
available
>> (only /usr/bin for example)
>>
>> Finally, the third directive would allow me to kill any script running
for
>> too long or using too much CPU.
>>
>> I understand that there is probably no tool to do all of it, but if I can
>> gather the tools to make it as effective as possible, it would be really
>> usefull for me and others.
>>
>> Please don't tell me to monitor the user's scripts, since that is almost
>> impossible to do when you have more than 10 sites to monitor, wich will
>> happen quickly :)
>>
>> Any other tips and tricks to improve the security of mod_perl is greatly
>> appreciated as well.
>>
>> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
>> Félix C.Courtemanche . Head Designer
>> Co-Administrator . Can-Host Networks
>> http://www.can-host.com
>> [EMAIL PROTECTED]
>>
>>
>
>--
>[EMAIL PROTECTED]
>"With pain comes clarity."
>
>
