This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
From: "=?iso-8859-1?Q?F=E9lix_C.Courtemanche?=" <webmaster@can-host.com> To: <modperl@apache.org> Subject: mod_perl security on a shared web server Date: Wed, 6 Sep 2000 00:35:13 -0400 Hello, I couldn't find any occurance of this question in the archives, but if it does exists, please forward me to it. I have been working on a set of Administration Tools for commercial web hosting companies for quite some times. Lately I have been trying to figure out the MOST secure way to host multiple accounts on the same server, with mod_perl enabled AS FAST AS POSSIBLE. In the best world, I would have the possibility of: - Restricting the opened files by any .pl script to the user's base directory. - Allowing custom shell commands or not - Setting a maximum execution time for a script The first directive would be used to prevent anyone from reading the source of another program, wich would allow someone to grab the sensitive data stored in configuration files, such as Database Passwords, etc. It is the MOST important of all and I really must find a solution. I previously saw some perl wrapper that would only allow files owned by the script's owner to be read. However, that wrapper greatly reduced the execution speed of .pl and it was not that effective. Any suggestions? The second directive would allow me to specify wether or not a user can run commands that would be passed as shell OR specify what paths are available (only /usr/bin for example) Finally, the third directive would allow me to kill any script running for too long or using too much CPU. I understand that there is probably no tool to do all of it, but if I can gather the tools to make it as effective as possible, it would be really usefull for me and others. Please don't tell me to monitor the user's scripts, since that is almost impossible to do when you have more than 10 sites to monitor, wich will happen quickly :) Any other tips and tricks to improve the security of mod_perl is greatly appreciated as well. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F