Infosec heaven (http://all.net) is now running a new secure http daemon for most (all non-cgi) functions. Source to this secure daemon (all 80 lines of it) is also available through this server (free for individuals, a small fee for commercial use). The security of this new daemon comes from several factors: 1 - It is small (80 lines of C) so you can examine the source for potential problems and verify things about it. 2 - It runs setUID to a special UID (www) so it doesn't need root privileges to provide service, even on port 80. 3 - It runs chroot to the directory containing your W3 information so it limits access to the server's area. 4 - It does not write to any files except one log file which is set at compile time and is in the chroot area. 5 - It only sends files owned by the special UID (www), so it cannot be used to extract any file from the system not owned by that user. To allow access, set ownership to that UID, put it in the chroot area, and make it readable. To prevent access, don't do those things (the right default). 6 - It only reads one request of fixed maximum length from one TCP channel and stores it in a fixed array for analysis and use. You cannot overrun its input buffer, and if it doesn't find the file you are asking it to provide, it returns a predefined failure that redirects you to a legitimate page. This combination makes this server ideal for operating on a firewall machine to provide LIMITED - GET-ONLY W3 service without sacrificing security or apparent functionalit. We hope you will enjoy our new and improved info-sec heaven and try our new secure W3 server services. -- -> See: Info-Sec Heaven using our New Super Secure World-Wide-Web Server -> Free: Test your system's security (scans deeper than SATAN or ISS!) ---------------------- both at URL: http://all.net ---------------------- -> Read: "Protection and Security on the Information Superhighway" John Wiley and Sons, 1995 ISBN 0-471-11389-1, 320 pp, $24.95 ------------------------------------------------------------------------- Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236