[Fwd: Re: Need some advice]

Forgot to send to the list as well.

-------- Original Message --------
Subject: Re: Need some advice
Date: Wed, 18 Aug 2004 13:01:02 -0800
From: Royce Williams <royce@alaska.net>
To: Jon Reynolds <jonr@destar.net>
References: <1092860681.4123bb0917557@www.destar.net>

On 8/18/2004 12:24 PM, Jon Reynolds wrote:

> We have a new web guy at my job that wants to be able to ssh into the webserver
> and compile and install perl applications and cgi scripts to use on the
> webserver. This person has just started working here and is an Americorps
> volnteer who will more than likely be gone in one year.

If it's just perl and script CGIs, he should be able to develop locally
and upload. IMHO, a properly-written CGI has enough internal debugging
feedback that there's no need to run it locally. If you are in charge
of creating the policy, require that the CGIs be in Perl and require
taint mode and warnings (#!/usr/bin/perl -Tw), "use strict", "use Carp",
"use CGI", etc. and don't let him use the -U flag (allow unsafe operations).
Read up on -U if it's new to you.

Requiring the above and having him do the initial development on a
separate dev box of his own will encourage better, more maintainable
code. It also gives you reason to build another Linux box, which
can't be bad. :)

If he wants to actually compile stuff (generate binaries) as well, I'd
hesitate on that. In practice, especially for CGIs, I've found that
keeping them in an intepreted/bytecode language really improves
long-term maintainability. You also don't have to worry about whether
or not he put something in the binary that isn't in the source code
(putting on paranoia hat for a moment). Just my opinion.

> What is the best way to allow him to do his work and keep the box secure from
> his mistakes and poking around in places he should not be poking around in? I
> was thinking about a chrooted ssh so that he can't go anywhere other than where
> he needs to be. But what about installing cgi and perl scripts, how do I protect
> the server from any mistakes he might make or any applications that he may try
> to install that have a security risk?

If you give him FTP upload access to the cgi-bin dir with one account
(group-writable by a group you specify, for example), I think that this
should be enough. I'd avoid the ssh access entirely.

What kinds of apps is he looking to write?

Though I work in the industry, I haven't ever tried to do what you're
describing, so I'm probably forgetting some items. YMMV.

-royce

-- 
------------------------------------------------------------------------
Royce D. Williams                                  - IP Engineering, ACS
personal: [first]@alaska.net                    - PGP: 3FC087DB/1776A531
work: [first.last]@acsalaska.net           - http://www.tycho.org/royce/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.