Info-sec heaven now rund secure http daemon (check it out)

Dr. Frederick B. Cohen (fc@all.net)
Fri, 9 Jun 1995 10:13:56 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Sacherich, Larry: "RE: Ids evaluation"
Previous message: David Smith: "CIAC Bulletin F-25: Cisco Router IOS Soft. Vulnerability"

Infosec heaven (http://all.net) is now running a new secure http daemon
for most (all non-cgi) functions.  Source to this secure daemon (all 80
lines of it) is also available through this server (free for
individuals, a small fee for commercial use). 

The security of this new daemon comes from several factors:

	1 - It is small (80 lines of C) so you can examine the source
	for potential problems and verify things about it.

	2 - It runs setUID to a special UID (www) so it doesn't need root
	privileges to provide service, even on port 80.

	3 - It runs chroot to the directory containing your W3 information
	so it limits access to the server's area.

	4 - It does not write to any files except one log file which is
	set at compile time and is in the chroot area.

	5 - It only sends files owned by the special UID (www), so it cannot
	be used to extract any file from the system not owned by that user.
	To allow access, set ownership to that UID, put it in the chroot
		area, and make it readable.
	To prevent access, don't do those things (the right default).

	6 - It only reads one request of fixed maximum length from one TCP
	channel and stores it in a fixed array for analysis and use.  You
	cannot overrun its input buffer, and if it doesn't find the file
	you are asking it to provide, it returns a predefined failure that
	redirects you to a legitimate page.

This combination makes this server ideal for operating on a firewall machine
to provide LIMITED - GET-ONLY W3 service without sacrificing security or
apparent functionalit.

We hope you will enjoy our new and improved info-sec heaven and try our
new secure W3 server services. 

-- 
-> See:  Info-Sec Heaven using our New Super Secure World-Wide-Web Server
-> Free: Test your system's security (scans deeper than SATAN or ISS!)
---------------------- both at URL: http://all.net ----------------------
-> Read: "Protection and Security on the Information Superhighway"
	 John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95
-------------------------------------------------------------------------
   Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236

Next message: Sacherich, Larry: "RE: Ids evaluation"
Previous message: David Smith: "CIAC Bulletin F-25: Cisco Router IOS Soft. Vulnerability"