Security Issues
Many of the extra capabilities this Web Server supports allow you to run
things on the Web Server itself. These things run as you.
This means if you are not careful you can wind up allowing anyone on the
Web to do things to your account like remove files (or worse). For each of
the extra capabilities listed below suggestions will be made to help you
avoid security problems. Be careful to follow the suggestions.
There are a few generalities. If shell scripts are involved it is
best to turn off "filename globbing" in the shell. This will prevent
remote users from being able to see lists of files. For sh scripts
begin them with:
#!/bin/sh -f
For csh or tcsh use the command set noglob. Be as conservative
as possible with file permissions. Where file permissions can be set up
to restrict who will be able to see them (e.g. CGI scripts) how to do that
will be described below. Also keep in mind when writing scripts that in
most cases other people on the Web may be able to point their own Web Pages
at your scripts. Your scripts may wind up receiving input from pages that
you did not set up so you cannot assume anything about the input your
scripts will see.
|