Educause Security Discussion mailing list archives
Re: WWW Access
From: "clementz.7" <clementz.7 () OSU EDU>
Date: Tue, 16 Aug 2005 14:15:33 -0400
Sounds like you have your hands full. We have not allowed an exe files unless they are zip type files to be put up on the web server. Everyone has individual permissions to folders created by a script and the files are uploaded to a data server then robocopied up to the live webserver every five minutes or so. Our students and faculty folders are all run off of the same server. Todd Clementz Systems Administrator Knowlton School of Architecture The Ohio State University
How do you handle security for your student web pages, faculty/staff web pages and web pages maintained by your webmaster? Specifically: 1. Are all three types of web pages accessible through the same web server or do you have a separate web server for each group? 2. Do you allow all three groups to create and run cgi scripts or are cgi scripts created only by the webmaster and put into the special cgi-bin directory? We have all three groups running from the same web server and all three groups can create and run cgi scripts. This is a situation with which I am not comfortable. I would like to change it to make it more secure and I am looking for ideas. The ability to create and run a cgi script gives that person and anyone else who knows about it the ability to look at any file on the web server with either permission for other or any file owned by the user running the web server. This ability makes it vary hard to hide important information like passwords to databases. Also all groups can use a telnet or ssh session to look at the files directly if the file permissions allow this access. Making the files you want to hide owned by the web server solves the problem of people looking at the contents of the file through telnet or ssh but also makes it possible for someone to write a cgi script that can read the file or worse write to the file. Brother Kenneth Arnold System Administrator Information Technology Services Christian Brothers University (901) 321-4333
Current thread:
- WWW Access Kenneth G. Arnold (Aug 16)
- <Possible follow-ups>
- Re: WWW Access John K Lerchey (Aug 16)
- Re: WWW Access clementz.7 (Aug 16)
- Re: WWW Access Minter, Jonathan Bancroft (Aug 16)
- Re: WWW Access Graham Toal (Aug 16)