Educause Security Discussion mailing list archives

Re: WWW Access

From: John K Lerchey <lerchey () ANDREW CMU EDU>
Date: Tue, 16 Aug 2005 14:11:33 -0400

Hi Ken,

We serve personal web pages off of the same server (for students, staff,
and faculty), but we do not allow anyone to put their own cgi scripts in
place.

Course and departmental pages are on a different server.

Our web group is working on plans to allow for a "content management
system" which may include the possibility of user-submitted cgi scripts.

I hope that this helps,

John


John K. Lerchey
Computer and Network Security Coordinator
Computing Services
Carnegie Mellon University


On Tue, 16 Aug 2005, Kenneth G. Arnold wrote:

How do you handle security for your student web pages, faculty/staff web
pages and web pages maintained by your webmaster?

Specifically:

1. Are all three types of web pages accessible through the same web server or
do you have a separate web server for each group?

2. Do you allow all three groups to create and run cgi scripts or are cgi
scripts created only by the webmaster and put into the special cgi-bin
directory?

We have all three groups running from the same web server and all three
groups can create and run cgi scripts.  This is a situation with which I am
not comfortable.  I would like to change it to make it more secure and I am
looking for ideas.

The ability to create and run a cgi script gives that person and anyone else
who knows about it the ability to look at any file on the web server with
either permission for other or any file owned by the user running the web
server.  This ability makes it vary hard to hide important information like
passwords to databases.  Also all groups can use a telnet or ssh session to
look at the files directly if the file permissions allow this access.  Making
the files you want to hide owned by the web server solves the problem of
people looking at the contents of the file through telnet or ssh but also
makes it possible for someone to write a cgi script that can read the file or
worse write to the file.


Brother Kenneth Arnold
System Administrator
Information Technology Services
Christian Brothers University
(901) 321-4333

Current thread:

WWW Access Kenneth G. Arnold (Aug 16)
- <Possible follow-ups>
- Re: WWW Access John K Lerchey (Aug 16)
- Re: WWW Access clementz.7 (Aug 16)
- Re: WWW Access Minter, Jonathan Bancroft (Aug 16)
- Re: WWW Access Graham Toal (Aug 16)