Blue Reef Technical Support Blue Reef Virtual Server Reseller ProgramInstallation instructions, manuals, how-tos, and more!About Blue Reef Consulting, Inc.

About Blue Reef Virtual ServersEcommerce Solutions for your Virtual ServerSearch the Blue Reef Virtual Server web site
Return to Blue Reef Virtual Servers Home Page
Order virtual servers, software, computers, and more!
Return to Blue Reef Main Home Page
Specials
Site Map
Support Solutions to help you do business with your Virtual Server.



Blue Reef Virtual Servers
Virtual Server Support
Virtual Server Addons
Virtual Hosting on a Virtual Server
Virtual Hosting Overview
Using vaddhost to Automatically Add Virtual Hosts to your ServerUsing vaddhost to Automatically Add Virtual Hosts to your Server
Setting up Virtual Hosting
Advanced Features of Virtual Hosting Setup
Configuring Email Hosts
Miva SubhostsMiva Configuration of Subhosts
Configuring Hosts with FrontPage Extensions
Virtual Hosting Limitations
Virtual Hosting Security Issues
Virtual Hosting FAQ
Request help using our Problem Tracking System
Order a Blue Reef Virtual Server now!


Security Issues of Virtual Hosting

It is important to consider some of the security issues that relate to virtual hosting. Because the Virtual Hosts operate in the same Virtual Server Environment, CGI scripts that are executed by any Virtual Host will inherit privileges to access any directory or file in your Virtual Server directory hierarchy.

For example, a malicious Virtual Hosted client could write a simple script to remove all of the files on your Virtual Server. Another script could send the contents of your ~/etc/passwd file to a remote email address where "weak" passwords could be decrypted. If your login password is susceptible to a dictionary cracking program, a subhosted client could effectively steal shell access away from you.

We recommend that you do not offer unrestricted cgi-bin access to your Virtual Hosted clients unless you have complete trust in them (even then, they may accidentally cause damage to your Virtual Server). We recommend one of the following alternatives:
  1. Provide stock CGI scripts in a directory you control
    Most web sites do not demand a great deal of custom CGI programming. It is likely that you could provide a library of "stock" CGI scripts which your subhosted clients could then use. A sample composition of such a library might include: a counter, a guestbook, and a generic form processor. You would store these scripts in a subdirectory of your cgi-bin directory (e.g. vhlib). You would then configure each of your Virtual Hosts to use this cgi-bin directory by adding the following lines to their <Host> definition to your httpd.conf file:

    ScriptAlias /cgi-bin/ /www/httpd/cgi-bin/vhlib/
     
  2. Configure the cgi-bin directory separate from the hosts' home directory
    Another alternative is to provide your subhosted clients with a cgi-bin that is not a subdirectory in their home directory. This would prohibit them from uploading and executing any arbitrary script. Instead, the subhosted client would email you the script, you would review it, and then install it into their cgi-bin directory (which can be configured to be a subdirectory of your main cgi-bin directory). An example of what you would add to your httpd.conf file is shown below:

    ScriptAlias /cgi-bin/ /www/httpd/cgi-bin/SUBDIR/

    Where the subdirectory SUBDIR becomes the cgi-bin directory for the subhosted client (you may want to use the same directory name for both the ~/www/vhosts and ~/www/cgi-bin to keep things organized).
We recognize that in most cases it is likely that not only are you providing your clients with hosting service, but you are also designing their web content and writing their CGI scripts as well. So this discussion may not be applicable to your specific situation, but it is still an element to remember should you decide to expand the scope of your services in the future.
    Note: At this time "CGI-wrappers" are not compatible with the Virtual Server system since you do not have root access to the server.
SEE ALSO:

Virtual Server Basics

Server Configuration


Server Add-ons

Using Telnet/SSH

Admin Utilities

Microsoft FrontPage Extensions

Recommended Security Books

Recommended Server Books

BOOKS TO HELP YOU:

Apache Server For Dummies
Apache Server For Dummies

$23.99

Apache: Web Server Directives Guidebook
Apache: Web Server Directives Guidebook

$15.95

Administering Web Servers, Security and Maintenance
Administering Web Servers, Security and Maintenance

$40.00

Amazon.com logo
Search for :
Enter keywords...