[Matthew J. Probst] | On Fri, 20 Jun 1997, Paul Sutton wrote: | | > The admin server also needs to write to the configuration files, which | > will probably be owned by a different user that the one that the main | > server runs as. | | Thats not a problem if the admin server is running as root.
if it needs to run as root it will never be installed on any of the sites I run or the sites of my clients. single suid programs that do ONE thing and contain lots of checking would pass after some code inspection. a http server running as root would not. | > In terms of who gets access to the admin functions, that I guess can | > simply be setup by a command line initial install program where you select | > one (or both) of a IP restriction and/or a username/password restriction. | > That isn't a big issue. | | That initial install could just set up you access.conf on the admin | server. the initial install could just be a script that asks a series of questions, asks the user to confirm and then builds the config. also, there should be only one configuration file plus the mime.types file since this is easier to keep track of and for newbies to understand. | > More important is that we don't want the back-end programs to allow other | > local users to be able to either change to being another user or do things | > to the main server (like HUPing it). | | If they are all owned and executible by root only, I dont see this as a | problem. agreed. small do-one-thing-and-one-thing-only programs that are suid root AND that check that the correct (compile time configured) UID is running them. (that would be the config httpd uid). also it would be wise to do sanity checks on how often they are run etc. (for example 4 times per second is clearly too often and is probably some sort of attack). | > I am assuming the interface will be based on a standard browser here to | > allow for full adminstration from any networked system.. This is the great | > advantage of the web over older applications. It would be a big step | > backwards to use an admin tool that is OS specific and does not use a | > browser as its transport. | | Agreed.. and as it was mentioned already, for more security just use a | SSL server.. This would, of course require the use of a key | authority... not really; you can use Apache with SSL and be your own key authority. the only difference is that Netscape will whine the first time because it doesn't know the CA. | It would be ok to be your own key authority (I mean.. there is only going | to be one user of this admin server and I think he would trust his own | server).. BUT IE will not connect (nor even prompt the user) to a site | using their own keyauthority (not on the IE trusted list of key | authorities). hmm, too bad. -Bj�rn
