Wednesday, September 13, 2000 at 18:06:02 (UTC)

Hi QYV,

Reading your server set up stuff and a few questions jumped readily to mind:

Uh, if you're running a dedicated web server machine, why do you have to run CGIwrap? Is this just to make the porting from scienide easier? I mean, I don't think it would hurt anything, but it does slow down CGI access.

And do you really want to let anonymous ftp users upload? Really? Uh, this is generally a bad idea. But if you're doing anything at all with anonymous ftp, you probably don't want to use the out-of-the-box ftpd. Have a look at wu-ftpd.

FlyingS

Wednesday, September 13, 2000 at 19:20:49 (UTC)

cgiwrap, used properly, is a very good idea. I've heard sbox is also quite good.

I assume you actually mean "anonymous downloading," as you say "from my box..." Do you really want an FTP server?

Check out the link I put on my name below...

mick

Wednesday, September 13, 2000 at 20:23:58 (UTC)

But, but...

(not to start a security argument...) ...but, if you're running your own dedicated web server and you run httpd as an unpriviledged user (which is always a good idea), CGIwrap just adds redundant complication.

chrooting your scripts is potentially a good thing, but it makes things more complicated (you have to reproduce everything you need to run the script within the chroot environment and the scripts don't work the same way as when the author was testing them). B'sides, you can chroot (1L) the server just by chrooting it, although I don't recommend it (remember, "dedicated server").

Complication is bad.

All of this begs the "why" question.

FlyingS

Wednesday, September 13, 2000 at 22:02:08 (UTC)

(apart from running as nobody)

Cgiwrap will provide future-proofing for the day when said "dedicated" server is no longer dedicated. Sbox would provide that, and chrooting, which is (as you said) very useful.

I can't see any real way for either of these options to be bad. Might add a bit of complexity, but I have a sneaking suspicion QYV can handle it. So why not, if it could boost security?

hey QYV - no gcc??

mick

Thursday, September 14, 2000 at 18:25:29 (UTC)

Well, it seems as if mick answered the CGIWrap question (basically that I might not keep the server dedicated). Besides, redundancy is always good when it comes to security..

I also came across another program that came with 6.2.. suexec? Anyway, it does the same thing, but I'm more comfortable with CGIWrap, so I'm sticking with it.

Now with this FTP issue, I would like to have some place where people who have files that interest me (or if I have files that interest them), can place these files and have access to. I'll have some sort of guest protection which till prevent any casual netfarer to hop by and upload/download bad things, although I'm still pretty much a neophyte at setting these sorts of things up and would like to understand the basics at least.

I thought I had installed gcc when I installed 6.2, but apparently I didn't. I did install it eventually (gotta love rpms).

QYV

Thursday, September 14, 2000 at 18:46:54 (UTC)

For the FTP thing, wu-ftpd has some decent guest account features. It's really the only one that does, IIRC.

Allowing people to upload to your server leaves you open to harddrive filling DoS attacks. That said, I've been meaning to set up somthing with procmail and nmh and give people an email address that they can mail things to (whereupon the server will store them somewhere convenient--ideally on a seperate partition to minimize the impact of said DoS attacks).

(This is a one-way thing, which has advantages over the anonymous FTP uploading (which can be two-way unless you bend over backwards to hide things) in that you are much less likely to unwittingly become the 'net's next big kiddie porn site).

FlyingS

Wednesday, October 16, 2024 @ 12:18:11 (UTC)