Re: mod_perl security on a shared web server
On Wed, 6 Sep 2000, Félix C.Courtemanche wrote:
Hello,
I couldn't find any occurance of this question in the archives, but if it
does exists, please forward me to it.
I have been working on a set of Administration Tools for commercial web
hosting companies for quite some times. Lately I have been trying to figure
out the MOST secure way to host multiple accounts on the same server, with
mod_perl enabled AS FAST AS POSSIBLE.
In the best world, I would have the possibility of:
- Restricting the opened files by any .pl script to the user's base
directory.
- Allowing custom shell commands or not
- Setting a maximum execution time for a script
The first directive would be used to prevent anyone from reading the source
of another program, wich would allow someone to grab the sensitive data
stored in configuration files, such as Database Passwords, etc. It is the
MOST important of all and I really must find a solution. I previously saw
some perl wrapper that would only allow files owned by the script's owner to
be read. However, that wrapper greatly reduced the execution speed of .pl
and it was not that effective. Any suggestions?
http://perl.apache.org/guide/multiuser.html
Finally, the third directive would allow me to kill any script running for
too long or using too much CPU.
Apache::Watchdog::RunAway does the 'too long' part.
Apache::{SizeLimit|GTopLimit} do the 'too much memory/too low sharing'
part.
Apache::Resource does the rest.
I understand that there is probably no tool to do all of it, but if I can
gather the tools to make it as effective as possible, it would be really
usefull for me and others.
Please don't tell me to monitor the user's scripts, since that is almost
impossible to do when you have more than 10 sites to monitor, wich will
happen quickly :)
Any other tips and tricks to improve the security of mod_perl is greatly
appreciated as well.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Félix C.Courtemanche . Head Designer
Co-Administrator . Can-Host Networks
http://www.can-host.com
[EMAIL PROTECTED]
_
Stas Bekman JAm_pH -- Just Another mod_perl Hacker
http://stason.org/ mod_perl Guide http://perl.apache.org/guide
mailto:[EMAIL PROTECTED] http://apachetoday.com http://jazzvalley.com
http://singlesheaven.com http://perlmonth.com perl.org apache.org
Re: mod_perl security on a shared web server
On Wed, 6 Sep 2000, Félix C.Courtemanche wrote: Hello, I couldn't find any occurance of this question in the archives, but if it does exists, please forward me to it. I have been working on a set of Administration Tools for commercial web hosting companies for quite some times. Lately I have been trying to figure out the MOST secure way to host multiple accounts on the same server, with mod_perl enabled AS FAST AS POSSIBLE. In the best world, I would have the possibility of: - Restricting the opened files by any .pl script to the user's base directory. - Allowing custom shell commands or not - Setting a maximum execution time for a script The first directive would be used to prevent anyone from reading the source of another program, wich would allow someone to grab the sensitive data stored in configuration files, such as Database Passwords, etc. It is the MOST important of all and I really must find a solution. I previously saw some perl wrapper that would only allow files owned by the script's owner to be read. However, that wrapper greatly reduced the execution speed of .pl and it was not that effective. Any suggestions? The _only_ way I see you being able to do this securely is to use a Safe compartment with a Safe::Hole through to your custom open() function which does all the checking. The problem then becomes enabling something like DBI support. You'd need to provide a safe hole through to DBI (not sure if you'd have to write a wrapper or what - never tried it personally). And then the same goes for something like CGI.pm, probably. The other stuff can be done with the resource limiting modules. If you come up with something it would be great if you could share it. I started working on something like it a while back (even had an Apache::SafeRegistry module built, but it didn't work because Safe::Hole didn't exist back then). -- Matt/ Fastnet Software Ltd. High Performance Web Specialists Providing mod_perl, XML, Sybase and Oracle solutions Email for training and consultancy availability. http://sergeant.org | AxKit: http://axkit.org
Re: mod_perl security on a shared web server
I would suggest www.freevsd.org, because what you need is complete compartmentalization. F?lix C.Courtemanche ([EMAIL PROTECTED]) was saying: Hello, I couldn't find any occurance of this question in the archives, but if it does exists, please forward me to it. I have been working on a set of Administration Tools for commercial web hosting companies for quite some times. Lately I have been trying to figure out the MOST secure way to host multiple accounts on the same server, with mod_perl enabled AS FAST AS POSSIBLE. In the best world, I would have the possibility of: - Restricting the opened files by any .pl script to the user's base directory. - Allowing custom shell commands or not - Setting a maximum execution time for a script The first directive would be used to prevent anyone from reading the source of another program, wich would allow someone to grab the sensitive data stored in configuration files, such as Database Passwords, etc. It is the MOST important of all and I really must find a solution. I previously saw some perl wrapper that would only allow files owned by the script's owner to be read. However, that wrapper greatly reduced the execution speed of .pl and it was not that effective. Any suggestions? The second directive would allow me to specify wether or not a user can run commands that would be passed as shell OR specify what paths are available (only /usr/bin for example) Finally, the third directive would allow me to kill any script running for too long or using too much CPU. I understand that there is probably no tool to do all of it, but if I can gather the tools to make it as effective as possible, it would be really usefull for me and others. Please don't tell me to monitor the user's scripts, since that is almost impossible to do when you have more than 10 sites to monitor, wich will happen quickly :) Any other tips and tricks to improve the security of mod_perl is greatly appreciated as well. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Félix C.Courtemanche . Head Designer Co-Administrator . Can-Host Networks http://www.can-host.com [EMAIL PROTECTED] -- [EMAIL PROTECTED] "With pain comes clarity."
Re: mod_perl security on a shared web server
In fact, I would like to see something similar to what you sent, but that would only apply to mod_perl (or any other way toe xecute perl scripts in apache) since I am also using other languages, databases, etc that would be somewhat harder to isntall with such a comparmentization. I am currently taking a look at the safe perl module to see if it can do the job for me. I had someone mention ressource restricting modules, especially for the amount of cpu, ram and time of execution used. Anyone can direct me specifically to any of theses (or all of them)? I can't seem to find one that is completed and working well. Please keep in mind that security and optimization are the top 2 priorities in this adventure :) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Félix C.Courtemanche . Head Designer Co-Administrator . Can-Host Networks http://www.can-host.com [EMAIL PROTECTED] -Message d'origine- De : Jonathan Leto [EMAIL PROTECTED] À : Félix C.Courtemanche [EMAIL PROTECTED] Cc : [EMAIL PROTECTED] [EMAIL PROTECTED] Date : 6 septembre, 2000 03:05 Objet : Re: mod_perl security on a shared web server I would suggest www.freevsd.org, because what you need is complete compartmentalization. F?lix C.Courtemanche ([EMAIL PROTECTED]) was saying: Hello, I couldn't find any occurance of this question in the archives, but if it does exists, please forward me to it. I have been working on a set of Administration Tools for commercial web hosting companies for quite some times. Lately I have been trying to figure out the MOST secure way to host multiple accounts on the same server, with mod_perl enabled AS FAST AS POSSIBLE. In the best world, I would have the possibility of: - Restricting the opened files by any .pl script to the user's base directory. - Allowing custom shell commands or not - Setting a maximum execution time for a script The first directive would be used to prevent anyone from reading the source of another program, wich would allow someone to grab the sensitive data stored in configuration files, such as Database Passwords, etc. It is the MOST important of all and I really must find a solution. I previously saw some perl wrapper that would only allow files owned by the script's owner to be read. However, that wrapper greatly reduced the execution speed of .pl and it was not that effective. Any suggestions? The second directive would allow me to specify wether or not a user can run commands that would be passed as shell OR specify what paths are available (only /usr/bin for example) Finally, the third directive would allow me to kill any script running for too long or using too much CPU. I understand that there is probably no tool to do all of it, but if I can gather the tools to make it as effective as possible, it would be really usefull for me and others. Please don't tell me to monitor the user's scripts, since that is almost impossible to do when you have more than 10 sites to monitor, wich will happen quickly :) Any other tips and tricks to improve the security of mod_perl is greatly appreciated as well. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Félix C.Courtemanche . Head Designer Co-Administrator . Can-Host Networks http://www.can-host.com [EMAIL PROTECTED] -- [EMAIL PROTECTED] "With pain comes clarity."
RE: mod_perl security on a shared web server
Felix, There's not much available that is efficient and does per-resource throttling based upon CPU, RAM, and time of which I know. I looked around for such things about 8 months ago. I instead decided that, for my needs, limiting simultaneous client access to resource hogs was good enough. I wrote mod_throttle_access to serve this purpose. It is available through the Apache Module Registry or directly here: http://www.fremen.org/apache/ Regards, Christian From: Félix C.Courtemanche [mailto:[EMAIL PROTECTED]] I had someone mention ressource restricting modules, especially for the amount of cpu, ram and time of execution used. Anyone can direct me specifically to any of theses (or all of them)? I can't seem to find one that is completed and working well.
