[HCS-D]mod_php alternatives? (and tonight's work)

Ivan Krstic krstic at fas.harvard.edu
Mon Dec 6 02:38:34 EST 2004


Nick Rozenblyum wrote:
> So as far as I know, there is no way to get mod_php to execute scripts
> as their owners without having apache run as root (which in itself is a
> really bad idea).

This is accurate. The solution is securing the system in other ways, 
including but not limited to ACLs, TPE, socket control, and chroot for 
the web server.

I will bring this up at the meeting tonight, but several things are 
apparent to me at this point:

(1) HCS ought to create a new post for a security manager/CSO
(2) the choice of operating system, security, and software on public HCS 
machines ought to be reconsidered once the CSO has been appointed
(3) installation baselines ought to be produced and kept on 'cold' media
(4) installation baselines need to be integrated, probably 
automatically, into an up-to-date map of software, with accompanying 
version information, deployed across all HCS machines, for a god's-eye 
view of potential security problems

Thoughts?

-IK


More information about the hcs-discuss mailing list