Re: WWW Access

[Graham Toal <gtoal () UTPA EDU>]

Kenneth G. Arnold wrote:

> How do you handle security for your student web pages, faculty/staff
> web pages and web pages maintained by your webmaster?
>
> Specifically:
>
> 1. Are all three types of web pages accessible through the same web
> server or do you have a separate web server for each group?
>
> 2. Do you allow all three groups to create and run cgi scripts or are
> cgi scripts created only by the webmaster and put into the special
> cgi-bin directory?
>
> We have all three groups running from the same web server and all
> three groups can create and run cgi scripts.  This is a situation with
> which I am not comfortable.  I would like to change it to make it more
> secure and I am looking for ideas.
>
> The ability to create and run a cgi script gives that person and
> anyone else who knows about it the ability to look at any file on the
> web server with either permission for other or any file owned by the
> user running the web server.  This ability makes it vary hard to hide
> important information like passwords to databases.  Also all groups
> can use a telnet or ssh session to look at the files directly if the
> file permissions allow this access.  Making the files you want to hide
> owned by the web server solves the problem of people looking at the
> contents of the file through telnet or ssh but also makes it possible
> for someone to write a cgi script that can read the file or worse
> write to the file.


You should not *ever* 'hide' passwords to databases simply by virtue of
not knowing where the files are or assuming
they can't be read by local users.  It is a common thing that people
create web scripts that allow users to upload
information and then the script writes it to a file which is potentially
readable over the web, if you only knew
the address of it, or could be read by anyone with a logon on the
system... and then somehow that hidden
URL gets leaked.

Yes, you do have a problem with allowing cgi scripts, but this is an
even bigger problem - you need to
get rid of stored passwords altogether.  Unfortunately so many databases
are still in the 60's in that
regard.  I was absolutely shocked when I discovered how many times
cleartext passwords were stored
in bits of the Oracle suite for example.

If you do allow cgis, they really need to be completely sandboxed so
that they can only see files
belonging to the user whose cgi it is.  This may not be easy to arrange.

Anyway, to answer your question, I don't see a benefit from separate
servers for staff/students/faculty.
They should *all* be treated as hostile ;-)  The best way is to not have
any sensitive data on the server
so it doesn't matter too much if it is exploited.  If staff want to run
cgi's that collect sensitive data,
channel them through your computer center who can secure the data
properly and don't give
anyone except your systems people direct access to those servers.
Although when I ran an ISP
several years back, the most tedious part of my job was vetting client's
cgi's before I installed
them :-/  - which was option (2) above.  Probably too much work for most
establishments.
But basically if you are collecting sensitive information on a web
server *someone* does have
to look at that script with an eye to security.  Either your computer
center staff or your poor
downtrodden info security officer :-)

Graham