Re: mod_perl security on a shared web server

Thu, 07 Sep 2000 00:44:58 -0700 

On Wed, 6 Sep 2000, Félix C.Courtemanche wrote:

> Hello,
> 
> I couldn't find any occurance of this question in the archives, but if it
> does exists, please forward me to it.
> 
> I have been working on a set of Administration Tools for commercial web
> hosting companies for quite some times.  Lately I have been trying to figure
> out the MOST secure way to host multiple accounts on the same server, with
> mod_perl enabled AS FAST AS POSSIBLE.
> 
> In the best world, I would have the possibility of:
> - Restricting the opened files by any .pl script to the user's base
> directory.
> - Allowing custom shell commands or not
> - Setting a maximum execution time for a script
> 
> The first directive would be used to prevent anyone from reading the source
> of another program, wich would allow someone to grab the sensitive data
> stored in configuration files, such as Database Passwords, etc.  It is the
> MOST important of all and I really must find a solution.  I previously saw
> some perl wrapper that would only allow files owned by the script's owner to
> be read.  However, that wrapper greatly reduced the execution speed of .pl
> and it was not that effective.  Any suggestions?

http://perl.apache.org/guide/multiuser.html

> Finally, the third directive would allow me to kill any script running for
> too long or using too much CPU.

Apache::Watchdog::RunAway does the 'too long' part.

Apache::{SizeLimit|GTopLimit} do the 'too much memory/too low sharing'
part.

Apache::Resource does the rest.

> I understand that there is probably no tool to do all of it, but if I can
> gather the tools to make it as effective as possible, it would be really
> usefull for me and others.
> 
> Please don't tell me to monitor the user's scripts, since that is almost
> impossible to do when you have more than 10 sites to monitor, wich will
> happen quickly :)
> 
> Any other tips and tricks to improve the security of mod_perl is greatly
> appreciated as well.
> 
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Félix C.Courtemanche . Head Designer
> Co-Administrator . Can-Host Networks
> http://www.can-host.com
> [EMAIL PROTECTED]
> 
> 
> 



_____________________________________________________________________
Stas Bekman              JAm_pH     --   Just Another mod_perl Hacker
http://stason.org/       mod_perl Guide  http://perl.apache.org/guide 
mailto:[EMAIL PROTECTED]   http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com   perl.org   apache.org

Reply via email to