10001110100110101
I've got CGIWrap working on my machine now. Yay! Now all I have to do is to make it secure. Doh. Getting it to work was hard (considering that I apparently didn't have any c compilers on my computer), but finding security holes is going to be tedious..
In any case, I'm tired from staring at a computer screen all day. I really should make some use of this "free" time and go and enjoy what's left of the summer.
While I'm here, Laz has found something..
When I booted up my Linux box this mor(o)ning, I was shocked to find out that it took more than five minutes to boot. I couldn't figure it out. It even took forever for the http, telnet, and ftp servers to get up and running. I think I figured out what the problem was. I had to disconnect the router from the WAN and this meant that the server couldn't see the WAN, which meant that it couldn't look up host names, which meant that it would just sit there, wondering why nobody was responding to it's requests..
*grumbles*
Maybe I'll just turn it off.
Anyway, I still have to figure out why anonymous users can't upload files from my box using FTP..
[0 Comments]
Finally back to write up these cards I got. Er.. I should probably explain myself. First off, girl and I went downtown to throw the disc around a bit (and to get out of the house). We walked through Kensington market and went to visit one of my cousins who's currently attending U of T. Afterward, we stopped by a Play-it-Again sports store to find new brakes for my blades (none there, and apparently none close by until next season), and the headed to a card store where I picked up some cards for the people back in Waterloo(ny).
Yes, you heard me right. I'm heading back to Waterloo tomorrow to attend RHS's defence. I figured since I said I would go (and help pay for his last meal), then I would go (despite being so early in the morning - *yawn*). Also, when I said last meal, I meant last free meal in Waterloo, the guy's leaving soon afterward.
It's getting late, and I have to wake up early tomorrow, and I still have to fill out those cards, so I'm going to sign off now. I might be able to answer some of those comments, but we'll see..
[0 Comments]
I've been looking around to see who's been updating and it seems as if Laz is the only one who wins this round. He's got a bunch of pictures up if you want to look at them.
I've also added a link directly to Tiffi's letters to Sparky. Kind of annoying to go through two layers to get to them huh? Okay, okay, I guess I was the only one using that link, but at least it saves me some hassle! (Although why I didn't do it earlier..)
[0 Comments]
Wednesday, September 13, 2000 at 18:06:02 (UTC)
Hi QYV,
Reading your server set up stuff and a few questions jumped readily to mind:
Uh, if you're running a dedicated web server machine, why do you have to run CGIwrap? Is this just to make the porting from scienide easier? I mean, I don't think it would hurt anything, but it does slow down CGI access.
And do you really want to let anonymous ftp users upload? Really? Uh, this is generally a bad idea. But if you're doing anything at all with anonymous ftp, you probably don't want to use the out-of-the-box ftpd. Have a look at wu-ftpd.
FlyingS
Wednesday, September 13, 2000 at 19:20:49 (UTC)
cgiwrap, used properly, is a very good idea. I've heard sbox is also quite good.
I assume you actually mean "anonymous downloading," as you say "from my box..." Do you really want an FTP server?
Check out the link I put on my name below...
mick
Wednesday, September 13, 2000 at 20:23:58 (UTC)
But, but...
(not to start a security argument...) ...but, if you're running your own dedicated web server and you run httpd as an unpriviledged user (which is always a good idea), CGIwrap just adds redundant complication.
chrooting your scripts is potentially a good thing, but it makes things more complicated (you have to reproduce everything you need to run the script within the chroot environment and the scripts don't work the same way as when the author was testing them). B'sides, you can chroot (1L) the server just by chrooting it, although I don't recommend it (remember, "dedicated server").
Complication is bad.
All of this begs the "why" question.
FlyingS
Wednesday, September 13, 2000 at 22:02:08 (UTC)
(apart from running as nobody)
Cgiwrap will provide future-proofing for the day when said "dedicated" server is no longer dedicated. Sbox would provide that, and chrooting, which is (as you said) very useful.
I can't see any real way for either of these options to be bad. Might add a bit of complexity, but I have a sneaking suspicion QYV can handle it. So why not, if it could boost security?
hey QYV - no gcc??
mick
Thursday, September 14, 2000 at 18:25:29 (UTC)
Well, it seems as if mick answered the CGIWrap question (basically that I might not keep the server dedicated). Besides, redundancy is always good when it comes to security..
I also came across another program that came with 6.2.. suexec? Anyway, it does the same thing, but I'm more comfortable with CGIWrap, so I'm sticking with it.
Now with this FTP issue, I would like to have some place where people who have files that interest me (or if I have files that interest them), can place these files and have access to. I'll have some sort of guest protection which till prevent any casual netfarer to hop by and upload/download bad things, although I'm still pretty much a neophyte at setting these sorts of things up and would like to understand the basics at least.
I thought I had installed gcc when I installed 6.2, but apparently I didn't. I did install it eventually (gotta love rpms).
QYV
Thursday, September 14, 2000 at 18:46:54 (UTC)
For the FTP thing, wu-ftpd has some decent guest account features. It's really the only one that does, IIRC.
Allowing people to upload to your server leaves you open to harddrive filling DoS attacks. That said, I've been meaning to set up somthing with procmail and nmh and give people an email address that they can mail things to (whereupon the server will store them somewhere convenient--ideally on a seperate partition to minimize the impact of said DoS attacks).
(This is a one-way thing, which has advantages over the anonymous FTP uploading (which can be two-way unless you bend over backwards to hide things) in that you are much less likely to unwittingly become the 'net's next big kiddie porn site).
FlyingS