source: trunk/minix/commands/httpd/SECURITY@ 11

Last change on this file since 11 was 9, checked in by Mattia Monga, 14 years ago

Minix 3.1.2a

File size: 2.3 KB
Line 
1SECURITY NOTE
2
3Al Woodhull <awoodhull@hampshire.edu> 2003-07-05
4
5Running a web server is fun, but it's also not without risks. If, like
6many Minix users, you are a guest on someone else's network, you need
7to be very careful to operate your server in ways that will not put
8your system at risk or interfere with others on the net. Here are some
9points to consider:
10
11- Be sure to touch /usr/adm/httpd.log (or whatever you specify as the log
12file in httpd.conf) before you start your web server for the first time
13-- nothing will be logged if the log file does not exist. Then look at
14your log file frequently and be alert for any unusual activity.
15
16- You may also want to be sure that tcpd is configured to operate in
17PARANOID mode. That will enable logging of connection attempts and
18allow you to use the serv.access (5) file to limit the kinds of
19connections that your system allows.
20
21- If you enable proxy webserving, be very careful, it can be used by
22people you don't know to visit sites that don't welcome visitors whose
23identity is hidden. This may cause your network host and ultimately you
24some unpleasantness.
25
26- The Minix httpd can also support CGI applications. These are also
27dangerous -- a CGI application allows someone else to execute a program
28on your computer. Make sure anything you allow this way cannot be
29abused. Many security violations are due to effects of input that was not
30expected by the original author of a program.
31
32- It's an understatement to say that Minix is not a well-known
33operating system. There are not many Minix systems operating as
34servers on the internet. A consequence of this is that there few, if
35any, people engaged in finding ways to attack weaknesses in Minix. But
36the idea of "security through obscurity" is deprecated by serious
37computer security experts. Any operating system or program of any
38degree of complexity is likely to have bugs or features that can be
39exploited in ways the original programmers did not foresee. You can't
40count on the "good guys" being the first ones to discover a risk.
41There are two things you should be sure to do if you are running a
42network server of any kind:
43
44(1) be alert for new versions of the program that may fix bugs
45discovered by other users, and
46
47(2) be sure to report to the program author or maintainer anything you
48observe that looks like a bug or a way the program can be misused.
Note: See TracBrowser for help on using the repository browser.