httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael.Schro...@telekurs.de
Subject Antwort: Re: Security docs
Date Tue, 20 Aug 2002 18:42:06 GMT

Hi Joshua,


>> In the TODO file better organization / more content is wanted for the
>> security documentation and since i now (finally) got some time left
>> over this weekend i thought i would update the doc with more info.
>>
>> any ideas/recommendations of what to write about?
> Personally, I'm stumped about what to do with that doc, or I would
> have taken a stab at it myself.
> The problem is that "security" means so many things (authentication/
> authorization/access control/ssl/tls/filesystem permissions/properly
> audited cgi/ssi/etc/etc/etc).
> Perhaps the best we can do is have a listing of some "best practices"
> that we recommend to users.

given this list, I make a weak attempt to classify these cases
so that they might be handled in separate chapters.

To do so, I am trying to write "scenarios" about who is trying
to protect what against whom:

---------------------------------------------------------------
Scenario 1: Server wants to control which clients access some
            protected files.
Topics:   Authentication (of all kind), Directory Browsing,
            ScriptAlias, .htaccess, ErrorDocument, ...
---------------------------------------------------------------
Scenario 2: Clients wants to prevent attacker to overhear data
            transferred to the server. (May need to be divided
            into HTTP and non-HTTP communication sections.)
Topics:     Encryption (SSL etc., AuthType Basic, ...).
---------------------------------------------------------------
Scenario 3: ServerAdmin wants to prevent webspace user to access
            privileged ressources.
Topics:   CGI auditing, suexec, chroot, userid of httpd,
            AllowOverride etc.
---------------------------------------------------------------
Scenario 4: Webspace user wants to prevent other webspace users
            to access his/her files.
Topics:   File system permissions, userid of CGI execution,
            clever password selection (outguessing FTP access)
---------------------------------------------------------------

None of this may be complete, I only want to suggest is as a
method of categorizing.
Of course these categories may not even be fully disjoint
(especially Scenario 3 and 4 may well overlap each other).

Regards, Michael



---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message