Contributed by jose on from the httpland-security dept.
I hope it's right I can ask through this way to the visitors of deadly.org a question: can OpenBSD be used for an ISP environment? For example, is it possible to fully use CGI in the chrooted apache, and just all the other things you need as an ISP? It is off course also very important users can't read each others files with php/cgi.
I think one of the biggest questions is: should I run apache chrooted or not?
If it is possible to use it in an ISP environment, does somebody maybe have a nice collection of documents which is completely dedicated to this topic?" As suggested in the http chroot FAQ , some users will probably want to disable the chroot functionality of httpd to enable their cgi-bin programs to work. However, this defeats a significant portion of the security for this kind of setup. Anyone care to share their recipes for setups like PHP, Perl, and other cgi-bin content keeping httpd chroot enabled?
(Comments are closed)
By henkjan () avatar@tweakers.net on mailto:avatar@tweakers.net
check:
http://www.openbsd.org/users.html#isp
By kp () on
By Aasmund () on
Regards.
By no_more_stability () on
I run small ISP on OpenBSD from version 2.5. There were no problems at all. But when we switched to OpenBSD 3.3 big problems arrived :(
Everything was installed from scratch, but DB servers are crashing, mod_perl is segfaulting all the time...
I suppose it is somehow related to ProPolice.
We are currently preparing to move to FreeBSD 4.8, because of that annoying stability problems on OpenBSD 3.3 - hard to say, but we can't provide service which is now crappy.
Comments
By A non e-mouse cow herd. () on
I would also recommend reading & using:
http://www.openbsd.org/report.html
It could help quite a bit.
By Anonymous Coward () on
2.5 was nice. my 2.6 system is still churning great. just on the lan now ... but is still the most stable i've run.
machine was built nov-1999
By Anonymous Coward () on
...but isn't it normally prudent to test a migration before deployment? I understand an upgrade is difficult, but usually, that's a probable, known norm with any computer system you run. No matter how small you are, if you are running services, I would pound some test servers of such an upgrade to see what happens before making switch, get used to the system, and see what problems arise. I wouldn't just go and blame the OS.
Maybe I'm just an ass, but it seems then you are going to "solve" the problem by going to FreeBSD 4.8. I would think that would thereby introduce another stage of problems, not to mention possible security concerns (FreeBSD varies between fair security to security advisory whore, e.g. in 2002). I like FreeBSD, but given the recent migration, are you sure this will solve the issues you are seeing?
By henning () henning@openbsd.org on mailto:henning@openbsd.org
even the fucken frontpage disaster^H^H^H^H^Hextensions work, tho I don't use the official ones, and I plan to drop them completely as customers don't really use 'em any more.
whatever is your problem, it is not OpenBSD - looks like you fucked up something while pgrading.
mod_perl is a bug collection anyway, and whoever uses it at shared webhosting servers deserves pain.
Comments
By Mark Beihoffer () mark aught dragonfly dash numeral seven daught com on http://www.dragonfly-7.com
What makes you think it's a "bug collection"? Just curious - I'm not considering it in a shared environment but maybe you have insight into why it's not appropriate for web serving otherwise.
Secondly, what extensions are you using for FrontPage? I have a customer that is currently locked into a FP installation, and he'd love to host it on OpenBSD... thanks for any input you can give me.
By Dom De Vitto. () on
WHO THE HELL DOES A UPGRADE FROM AN OS RELEASED "May 19, 1999" TO ONE RELEASED 1 May 2003 AND EXPECTS NO PROBLEMS????????
WHY THE HELL WERE YOU RUNNING 2.5 LAST MONTH ANYWAY???? IT WAS OUT OF SUPPORT BY TWO YEARS!
What an idiot.
By Nate () nate@my-balls.com on mailto:nate@my-balls.com
I have had issues with some hardware and 3.3 over ftp, so I am still using 3.2 on some of my more recent installs.
By Anonymous Coward () on
I'll bet you $100 that your hardware is f*cking up. Build a new box, $500USD max even with scsi raid 5.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
Thanks
Comments
By krh () on
Please be more considerate next time.
Comments
By Anonymous Coward () on
Comments
By Dom De Vitto () on
Please read a good security book, e.g. a CISSP exam prep guide, if you do not understand why.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Wouter () openbsd@gamezworld.com on mailto:openbsd@gamezworld.com
For CGI, I could of course copy the perl binary and all the libs.. but I am not sure if it's right to do this, and does it work that way (is mod_perl an option?)?
Another thing is, how do I make sure CGI is safe? With PHP I know now I am safe, because of the safe_mode option, but is there a way to make CGI secure as well?
Probably these questions has been asked many times, but I think it is good the answers will be listed at such a good site as this one.
Comments
By Anonymous Coward () on
This might sound strange from a sysadmin, but at some level you just have to stop being paranoid and trust someone or else you will do nothing but create more work for yourself and anger your customers.
Sidenote... PHP safe_mode isn't exactly the paragon of security you make it out to be, but it does help.
By schwack () on
php_admin_value open_basedir "/home/username/"
There are many other things to check out. read http://www.php.net/manual/en/security.php
By Aasmund () on
By Anonymous Coward () on
By Iota () on
Comments
By Wouter () openbsd@gamezworld.com on mailto:openbsd@gamezworld.com
However, I would like to suggest PowerDNS (www.powerdns.com), you've to compile it with GCC/G++ 3.2.2 .. it has a MySQL backend which is really great.
By michaelc () gigalo@canada.com on mailto:gigalo@canada.com
Comments
By Iota () on
Comments
By AAsmund () on
By marcin () ms@kajtek.org on mailto:ms@kajtek.org
I do not mean to start djbdns - BIND war,
BIND works, it might not be practical,
worthwhile, etc to switch, blah blah.
_I_ like it a lot.
*azbesto shield off*
Just wondering if you had a chance to look at
djbdns (http://cr.yp.to/djbdns.html). I started to use it after prolonged exposure to BIND config
files, and never looked back.
1) Its license does not allow it to be included
in the ports. It is free, but does not suit OBSD's, Debian's (and others') definition of free.
2) _I_ find djbdns setup to be much easier and
"cleaner" than that of bind.
3) It is easy to get good and secure config
4) It is of ISP quality
5) djbdns follows its own way to do zone-tansfers. It is better than that of BINDm but
requires some glue (some perl glue is provided).
6) you will want to load ucspi-tcp and daemontools as well. Plus to me, might be more of new/weird software to you.
More setup instructions:
http://www.lifewithdjbdns.com/
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Blake () funkboy at two one one two dot net on mailto:funkboy at two one one two dot net
By Matt () on
Could we make another flavor within ports to install a port with the intention of making it available in the chroot structure? or even just switching certain ports over to be installed to the /var/www dir by default. call me crazy, but who runs php outside of a webserver? why wouldn't we put webserver components in a path where our default configuration can't reach them?
And before i'm flamed, yes I realize I could probably edit the makefiles by hand, but why do we intentionally make it hard on ourselves?
By marcbey () marc@marcbey.de on mailto:marc@marcbey.de
By Anonymous Coward () on
Will that work with the default chrooted install of apache (provided that perl is inside the chroot of course).
Or does suexec create more security issues than it solves?
By doggo () w-berry@north!NS!western.edu on mailto:w-berry@north!NS!western.edu
http://www.etc.msys.ch/docs/
And/or do a google search for "marc balmer chroot" and you'll find some threads.
Hope this is helpful.
By Jimmy Mitchener () on
Comments
By janus () janus -at- errornet -dot- de on http://janus.errornet.de