For our own purposes, I'm planning on deploying CCS on an internal server of our own, so myself I'm not overly worried. However, since requests for shared hosts for CCS have gone out, I thought I would bring this up. Maybe I'll learn something. :-)
I see a hole in shared environments, where the shared key for accessing the OpenSRS server might be accessible by any other web site on the server. (I'm talking about a virtual host situation, with separate "virtual root" servers). For shared environments, we generally do development in perl, so I'm not as familiar with PHP. For perl (or any CGI), when actual security is needed we run the script suid a dedicated user, that has access to the programs and any data the program needs. This keeps sensitive data (ie, MySQL passwords, or the OpenSRS shared key in this case) from needed to be world write, so only the CGI for that site can read them. As I understand PHP, it runs as the web server user (nobody). Anything the PHP scripts need to read has to be world readable, which for CCS is going to include the generated reseller key. Now, PHP can be locked to specific directories, but if you are on a shared server that gives CGI access, any other CGI program will probably run as the web server process, and can read your shared key. If the site uses suexec for everyone's CGI, and you make the file with the key readable by the web server user but NOT world read, then it should be safe. But, if any other site can run their own CGI as the web server user, your key is vulnerable. Which is a long-winded way of saying -- I would think CCS should not really be run on a shared server for production use. As I said, I'm more a perl person than a PHP person, so please excuse me if either this is, or I've missed something, glaringly obvious. ========================================================== Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/ _______________________________________________ domains-gen mailing list [email protected] http://discuss.tucows.com/mailman/listinfo/domains-gen
