Date: Wed, 11 Jul 2001 12:32:33 +0000 From: Hug Me <hugme@hugme.org> To: freebsd-isp@FreeBSD.ORG Subject: Re: gcc on production server Message-ID: <20010711123133.A21587@pitr.tuxinternet.com> In-Reply-To: <20010711170336.B84178@krijt.livens.net>; from wim@livens.net on Wed, Jul 11, 2001 at 05:03:36PM %2B0200 References: <20010711170336.B84178@krijt.livens.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--1SQmhf2mF2YjsYvc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 11, 2001 at 05:03:36PM +0200, Wim Livens wrote: >=20 > Not sure if this is the most appropriate forum, but... >=20 > Is it a good idea, security-wise, to have a build environment (gcc, et al= .) > on a production webserver ? it will depend on what level of security you are going for. The first and best layer of defence for your web server is the network. TURN OFF EVERYTHING YOU DON'T USE. don't ever use anything with a password clear text.. telnet, ftp,pop mail etc...=20 secound, make sure none of your services run as root... make sure that the = web server runs as one user and your web pages are owned by another.. your web = server should not have the rights to write to these pages unless it REALLY needs t= hem. if everything is turned off it should be hard for someone to get a shell. I= =20 have shell accounts on my system, I have done somthing simaliar, I changed the permissions on anything on the system that can compile so that only root can run it, gcc, c++, cc... etc also everything in the /sbin, /usr/sbin and /usr/local/sbin directory. then I have gone through and changed ANYTHING a user wouldn't need to run to execute only by root (-r-x------) I do regular scans on my system, run tripwire... things like that... if you are REALLY worried about security, get a drive that has a jumper you can change to read only, put your operating system on it, move the jumper like I said there are many levels as to how paranoid you want to be and with each level you are going to have to spend a little more time on your system configuring. find a good balance that you feel comfortable with between securiting your system and how much time you spend on it. then you can decide what level of paranoia is good for you... oh, I have been working on a simple security help section on my page, it's = not finished yet, (it should have 6 parts when I am done) but you can check out= what=20 I have so far at http://www.hugme.org/computer/freebsd >=20 > Thanks for any opinions. >=20 > --=20 > Wim Livens =20 > mailto:wim@livens.net > http://wim.livens.net >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message --=20 ************************************************* hugme hugme@hugme.org http://www.hugme.org http://www.atlantacon.org PGP Public key: http://www.hugme.org/mykey.pgp --1SQmhf2mF2YjsYvc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjtMR2EACgkQCEkxz3stqbQdpgCgkl7igRA056dy0JRzfMonU9cK cKYAnAlfEslhsV8E3NsKm7LFt2q2kqBI =t+w7 -----END PGP SIGNATURE----- --1SQmhf2mF2YjsYvc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010711123133.A21587>