WWW Access

["Kenneth G. Arnold" <bkarnold () CBU EDU>]

How do you handle security for your student web pages, faculty/staff web
pages and web pages maintained by your webmaster?

Specifically:

1. Are all three types of web pages accessible through the same web server
or do you have a separate web server for each group?

2. Do you allow all three groups to create and run cgi scripts or are cgi
scripts created only by the webmaster and put into the special cgi-bin
directory?

We have all three groups running from the same web server and all three
groups can create and run cgi scripts.  This is a situation with which I am
not comfortable.  I would like to change it to make it more secure and I am
looking for ideas.

The ability to create and run a cgi script gives that person and anyone
else who knows about it the ability to look at any file on the web server
with either permission for other or any file owned by the user running the
web server.  This ability makes it vary hard to hide important information
like passwords to databases.  Also all groups can use a telnet or ssh
session to look at the files directly if the file permissions allow this
access.  Making the files you want to hide owned by the web server solves
the problem of people looking at the contents of the file through telnet or
ssh but also makes it possible for someone to write a cgi script that can
read the file or worse write to the file.


Brother Kenneth Arnold
System Administrator
Information Technology Services
Christian Brothers University
(901) 321-4333