[consulting] consulting Digest, Vol 46, Issue 1

Tue Nov 3 12:26:50 UTC 2009

Some notes on the security aspects while giving admin rights to the Drupal 
sandbox installation:

1. Allowing someone php execution rights (even through drupal interface), 
essentially means giving away full file/folder access to the hosting account 
on which the sandbox runs. Hackers can easily "fetch" their own php files on 
the server and even setup a browserbased fileftp interface for gaining full 
control.
2. If your hosting provider/server admin does not use secure php 
configuration, then access to a single hosting account or installation would 
mean access to almost all accounts on that hard disk.
3. Also trouble may be caused by spammers using the sandbox to use it as 
their own spammail relayers, which can get your server IP blacklisted 
causing inconvenience to clients using the server for their projects

But then these are extreme scenarios, if you are opening the sandbox for 
your existing and prospective clients only, then above concerns may be 
exaggerated.

Regards,
Amit

----- Original Message ----- 
>
>   1. Security Around Setting Up a Sandbox (Shai Gluskin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 2 Nov 2009 13:09:08 -0500
> From: Shai Gluskin <shai at content2zero.com>
> Subject: [consulting] Security Around Setting Up a Sandbox
> To: "A list for Drupal consultants and Drupal service/hosting
> providers" <consulting at drupal.org>
> Message-ID:
> <9f68efb70911021009t54d25065nbca92ada2cde9904 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gang,
>
> I'm real excited about Drupal 7. Just listened to the Lullabot podcast and
> it's amazing how much has gotten in.
>
> I want to help increase the number of people looking at D7 who don't have 
> to
> install it themselves in order to get more people:
>
>   1. Finding bugs
>   2. Finding UI issues
>   3. Helping with documentation
>   4. Getting excited about D7
>
> I'm thinking of providing a sandbox on my server. I have found one other 
> D7
> sandbox at http://drupal7.socialconstruction.ca/. The D7 version at that
> site was a month old. In addition, he wasn't letting people into
> administration sections, just letting people create content. He said the
> reason was "for security."
>
> I had planned to give people a LOT more access than that. I certainly was 
> *not
> *going to give folks FTP or administer users permissions, but otherwise I
> was thinking of giving authenticated users a lot of permissions. I'm
> planning on having the Demonstration Site
> module<http://drupal.org/project/demo>running to take snapshots on
> cron (and I wouldn't give people admin
> privileges on that, obviously). So I could set the site back if someone
> comes along and messes things up.
>
> I'm not particular worried about cpu capacity or bandwidth. This sandbox
> will not get a lot of traffic.
>
> So the question is: is there a security concern that opening up such a
> sandbox would endanger the client accounts I have set up on the same
> dedicated server. The d7sandbox account would share an IP, a hard drive, 
> and
> the same server configuration with my client accounts, but nothing else. 
> Is
> there a danger with this? Would giving that account a dedicated IP make it
> any safer? Other thoughts???
> Thanks,
>
> Shai
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://lists.drupal.org/pipermail/consulting/attachments/20091102/8e40e9b2/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>
>
> End of consulting Digest, Vol 46, Issue 1
> ***************************************** 