[Cialug] minimizing exposure with web hosting

Zachary Kotlarek zach at kotlarek.com
Mon Aug 2 12:24:48 CDT 2010


On Aug 2, 2010, at 10:33 AM, Matthew Nuzum wrote:

> Currently I'm only intending to allow webdav access because my initial thinking was that it minimized my security exposure. However this presents problems with cgi, rails and django. CGI because I can't figure out how to chmod+x using webdav. For to make any non-trivial apps with rails and django you need shell access to run rake db:migrate or manage.py syncdb.


If you really just need to provide access to a handful of commands, those commands take a predictable set of arguments, and no user input is required beyond launching the command, it would be pretty easy to throw up a web interface that allows access only to those specific commands.

Be sure to avoid shell parsing of the arguments when you call the commands, and maybe provide basic filtering to avoid obviously bad arguments/out-of-scope filepaths/etc. Assuming you want to run commands as someone other than the web server user, you could also enforce such restrictions in /etc/sudoers, to provide a second level of protection.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100802/8ede868c/attachment.bin 


More information about the Cialug mailing list