Re: Security in OWAS 3.0
Date: 1998/03/05
Message-ID: <6dmgva$4ei$1_at_nntp.Stanford.EDU>#1/1
It is my understanding there is a possibility someone could hack into your
site
and gain control of the root process. If this occurred, they would have
root
priviledges on your site. I'm not sure how people do this, but apparently
it is possible. Therefore, it is recommended that the owner of the
Web Server processes be a low-priviledged user.
In our case, we install the web server software as a low priviledged user thus when the processes start they run as that user. We do not have a requirement to run on the port 80 at the Oracle web server level.
We do route our users through an Apache server which runs on port 80 and routes our users to the Oracle web server. We authenticate the users at the Apache web server and then send them to the Oracle web server.
Hope this helps. Good luck, Laurie.
-- Sybase/Oracle DBA Stanford University lmiller_at_lindy.stanford.edu dipascua_at_seciu.edu.uy wrote in message <6dke8c$u43$1_at_nnrp1.dejanews.com>...Received on Thu Mar 05 1998 - 00:00:00 CET
>We are implementing a service using OWAS 3.0 and Workgroup Server 7.3.2 on
>Solaris 2.5.1 x86, and I have the following doubts :
>1 - On the on-line documentation of OWAS, it is recommended to use ports
>higher than 1024 so that there be no need to run the listener as root.
>In case there be need to user port 80, it is recommended to set 0 as
maximum
>number of connections of root's listener, and readress all connection
attempts
>over the maximum allowed to the listener with lower grants.
>First problem : the minimum figure possible in the field of 'Max.Connect
>Count' is 1.
>Second problem : when setting 1, readdressing seems to work out good, but
the
>listener start sending several messages per second to the stdout and to the
>log, saying 'Information: The server has reached its maximum number of
>connections. Listening will be suspended temporarily'.
>One possible solution to this could be specify the log file of the
>listener as /dev/null, buy I don't really think it is a good option.
>Besides, when I use this way, SOMETIMES the browser displays the message
'The
>request did no specify a valid virtual host'.
>
>2 - Do I really need to follow that mechanism? When a listener is executed,
>two process 'oraweb' are run, one son of the other.
>The father run with the grants of the user which executed the listener,
>but the son runs with that of the user specified in the listener's
>configuration. In case the son be executed, for instance, as 'nobody', is
the
>system's security still compromised since the father is running as 'root'?
>
>3 - In case everything works out good, is there any disadvantage in using
the
>readressing mechanism?
>
>Please, I do need help given that I couldn't find any documentation about
this
>on the Internet, and our local Oracle Technical Service couldn't give me
any
>clue about it either.
>
>Thanks.
>
>Diego Di Pascua
>dipascua_at_seciu.edu.uy
>SECIU - Universidad de la Republica
>
>-----== Posted via Deja News, The Leader in Internet Discussion ==-----
>http://www.dejanews.com/ Now offering spam-free web-based newsreading
begin 666 lmiller_at_lindy.stanford.edu.vcf M0D5'24XZ5D-!4D0-"DXZ.VQM:6QL97) ;&EN9'DN<W1A;F9O<F0N961U#0I& M3CIL;6EL;&5R0&QI;F1Y+G-T86YF;W)D+F5D=0T*14U!24P[4%)%1CM)3E1% L4DY%5#IL;6EL;&5R0&QI;F1Y+G-T86YF;W)D+F5D=0T*14Y$.E9#05)$#0H` ` end