Re: WWW Access

["Minter, Jonathan Bancroft" <jbminter () LIBERTY EDU>]

A potential help here would be utilizing Cold Fusion's sandbox security
system.  Obviously, this will only help if people can only write Cold
Fusion, so it might not be an option for you.

Basically, what their sandbox system does is allow you to configure
sandboxes in certain directories, and then constrain what scripts can do
in that directory, including data sources, Cold Fusion tags, as well as
including or modifying files in other directories.  

So you could create a sandbox for the various groups and then enforce
policies on each sandbox as appropriate.  They could remain on the same
server and be relatively isolated from each other.  You would just have
to say, "if you want to do dynamic content, you'll have do it in Cold
Fusion".

Also, CF is not free.

Notably, we have been running Cold Fusion since version 4 in the late
90's and the most recent version (CFMX 7) is the first time that sandbox
has actually worked consistently.

Jonathan Minter
Director, IT Development and Engineering
Liberty University
jonathan () liberty edu
(434) 592-7301

-----Original Message-----
From: Kenneth G. Arnold [mailto:bkarnold () CBU EDU] 
Sent: Tuesday, August 16, 2005 2:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] WWW Access

How do you handle security for your student web pages, faculty/staff web

pages and web pages maintained by your webmaster?

Specifically:

1. Are all three types of web pages accessible through the same web
server 
or do you have a separate web server for each group?

2. Do you allow all three groups to create and run cgi scripts or are
cgi 
scripts created only by the webmaster and put into the special cgi-bin 
directory?

We have all three groups running from the same web server and all three 
groups can create and run cgi scripts.  This is a situation with which I
am 
not comfortable.  I would like to change it to make it more secure and I
am 
looking for ideas.

The ability to create and run a cgi script gives that person and anyone 
else who knows about it the ability to look at any file on the web
server 
with either permission for other or any file owned by the user running
the 
web server.  This ability makes it vary hard to hide important
information 
like passwords to databases.  Also all groups can use a telnet or ssh 
session to look at the files directly if the file permissions allow this

access.  Making the files you want to hide owned by the web server
solves 
the problem of people looking at the contents of the file through telnet
or 
ssh but also makes it possible for someone to write a cgi script that
can 
read the file or worse write to the file.


Brother Kenneth Arnold
System Administrator
Information Technology Services
Christian Brothers University
(901) 321-4333