North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ARIN Policy on IP-based Web Hosting

  • From: Dana Hudes
  • Date: Thu Aug 31 14:19:38 2000

On the off-topic subject of security for IP vs name based:
Apache has this cunning feature called suExec.
The server uses the id of site files owner (as configured in the
virtualhost configuration) when accessing the site. CGI are executed with
that ID.

 On Thu, 31 Aug 2000, Alec H. Peterson wrote:

> 
> "John A. Tamplin" wrote:
> > 
> > Well, if the policy is that you have to use name-based hosting everywhere
> > feasible and do something different for those customers that need
> > something different, that can be quite a hardship on existing setups.
> > For example, re-engineering all the tools to create and maintain vdom
> > services, changing existing customer setups, etc.  It is certainly easier
> > to treat all hosting customers alike, rather than have completely
> > separate setups and then have to change a customer from one to the other
> > when they add or delete services (including downtime).
> 
> That was also brought up at the meeting, however it was generally agreed
> that the address savings were worth the work.
> 
> > 
> > Another issue nobody has mentioned is security between virtual servers.
> > Under name-based hosting, they all run as the same user-id and thus to get
> > the same security you have with separate IP-based servers you have to put
> > all the access conrol checks in all the tools that can be used.  This can be
> > hard if not impossible to do when you allow full shell access to the files
> > used by the server.
> 
> Not if you chroot() the user into their file space.  That may not be ideal,
> but there are ways to deal with it.
> 
> Alec
> 
>