Web servers are usually publicly accessible and represent your company, group
or entity so there are chances you want to strengthen the security of this
service.
As I already mentioned Caudium has a good security for public access behind
mostly written in a script language. However Caudium runs as root by
default. In the case a non-authorized user gains access to Caudium's
process, he might gain root privileges. Consequently,a lot of web servers run
as another user with minimal privileges. Doing this may require some
work, as you will have to change the owner of all the files Caudium needs
access to, so I give step-by-step instructions how to change those
permissions:
Find a good user name. This user name should be a normal user with the least privileges. Lots of distributions already have a special account for this. Common names include "www", "www-data", "httpd", "nobody" (Caudium on Debian GNU/Linux runs as www-data:www-data by default). We don't recommend "nobody" though; to quote Theo de Raadt: The user "nobody" has historically been doing too much. If you could break into the user "nobody", you could cause great damage.
Change the owner of the files which Caudium needs to write to. These include:
Caudium internal log file (default.*).
Per virtual server log file.
All caches.
The configurations files (they are written by the CIF.).
On a Caudium source install the following command should do the job:
# chown -R www-data.www-data logs/ var/
argument_cache/ bgcache/ configurations/ server/*.pem server
|
Here is the result:
$ ls -l
total 32
drwxr-sr-x 6 www-data www-data 4096 Feb 13 23:17 argument_cache
drwxr-sr-x 2 www-data www-data 4096 Feb 19 09:27 bgcache
drwxr-sr-x 2 www-data www-data 4096 Mar 4 22:28 configurations
drwxr-sr-x 4 root staff 4096 Feb 13 23:16 local
drwxr-sr-x 7 www-data www-data 4096 Mar 3 11:50 logs
drwxr-sr-x 2 root staff 4096 Feb 13 23:16 readme
drwxr-sr-x 19 www-data www-data 4096 Feb 19 20:13 server
drwxr-sr-x 2 www-data www-data 4096 Mar 3 19:28 var
$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
If users are allowed to log on the server, you might also change the
permissions of the logs directory.
If you have a Caudium specific distribution for your system (such as Debian GNU/Linux) check manually.
Don't forget to change the permissions of any script/directory you made
and for which Caudium needs to write to in your public filesystem.
Log into the CIF., go in the main Global variables tab, then in
Change uid and gid type the uid:gid data you choose. We typed 33:33
in our example. You can also type a login name and group name: www-data:www-data.
You can also enable the Change uid and gid permanently option but be sure to read the documentation first.
I will now speak about general security measures you can take if you are
very strict about security.
Don't allow users to execute scripts that are part of the server.
As Caudium is a single process server, it is possible to stop it, restart
it, access it, etc. with a user script. This include pike scripts, pike tag,
and PHP modules for Caudium.
If you do want to let your users run scripts, you can always use
CGI, or better uniscript (in this case it will be transparent to the user), in
order to run a script in a separate process using the fork(2) system call.
This will decrease the performance of Caudium but the security has a price,
and it is up to you to decide how much you want to pay.
| Uniscript is a CGI-like wrapper. It will execute programs
as if they were CGI scripts but unlike CGI, it does not require you
to put these programs under a specific directory like /cgi-bin/. For
example each user can have his or her CGI script in his or her directory.
Moreover Caudium can execute them with the uid of the owner.
|
Don't use anything you don't need. Remove any modules you don't need in your virtual server.
Physically restrict access to the CIF.. Don't access it from the Internet if
possible. Few people know this, but it is now possible to see SSL
connections in clear text with a man-in-the-middle attack.
The dsniff software contains all the tools and explanation for this.
Turn off these options:
Global Variables -> show_internals.
Global Variables -> Version numbers -> Show Caudium Version Number.
Global Variables -> Version numbers -> Show Pike Version Number.
Turn off any debug options specific to a module. These
options are for developers, and they don't have security in
mind when they debug output.
|
Actually, this is security through obscurity and doesn't
increase the security of the server.
| | --Grendel | |
Output Caudium's log files to a separate partition. /var is a good choice for
that purpose.
Check the Caudium web site for patches.
If your job relies on your web server security, check the Caudium source.
|
|