Amit and all,<br><br>Amit, thanks for replying.<br><br>Re #3, "Spammers using the site as a relay." Can you or someone explain how that might be done?<br><br>Re: #1, If I have "use php module" permission turned off, as well as administer users (which allows people to admin permissions), shouldn't that take away the possibility of someone executing php?<br>
<br>Re #2: My hosting provider does use suPHP, a security extension for PHP that I think you are talking about.<br><br><br><br><div class="gmail_quote">On Tue, Nov 3, 2009 at 7:26 AM, DrupalExpert Amit <span dir="ltr"><<a href="mailto:drupalexpertamit@gmail.com">drupalexpertamit@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Some notes on the security aspects while giving admin rights to the Drupal<br>
sandbox installation:<br>
<br>
1. Allowing someone php execution rights (even through drupal interface),<br>
essentially means giving away full file/folder access to the hosting account<br>
on which the sandbox runs. Hackers can easily "fetch" their own php files on<br>
the server and even setup a browserbased fileftp interface for gaining full<br>
control.<br>
2. If your hosting provider/server admin does not use secure php<br>
configuration, then access to a single hosting account or installation would<br>
mean access to almost all accounts on that hard disk.<br>
3. Also trouble may be caused by spammers using the sandbox to use it as<br>
their own spammail relayers, which can get your server IP blacklisted<br>
causing inconvenience to clients using the server for their projects<br>
<br>
But then these are extreme scenarios, if you are opening the sandbox for<br>
your existing and prospective clients only, then above concerns may be<br>
exaggerated.<br>
<br>
Regards,<br>
Amit<br>
<br>
----- Original Message -----<br>
><br>
> 1. Security Around Setting Up a Sandbox (Shai Gluskin)<br>
><br>
><br>
> ----------------------------------------------------------------------<br>
><br>
> Message: 1<br>
> Date: Mon, 2 Nov 2009 13:09:08 -0500<br>
> From: Shai Gluskin <<a href="mailto:shai@content2zero.com">shai@content2zero.com</a>><br>
> Subject: [consulting] Security Around Setting Up a Sandbox<br>
> To: "A list for Drupal consultants and Drupal service/hosting<br>
> providers" <<a href="mailto:consulting@drupal.org">consulting@drupal.org</a>><br>
> Message-ID:<br>
> <<a href="mailto:9f68efb70911021009t54d25065nbca92ada2cde9904@mail.gmail.com">9f68efb70911021009t54d25065nbca92ada2cde9904@mail.gmail.com</a>><br>
> Content-Type: text/plain; charset="iso-8859-1"<br>
><br>
> Gang,<br>
><br>
> I'm real excited about Drupal 7. Just listened to the Lullabot podcast and<br>
> it's amazing how much has gotten in.<br>
><br>
> I want to help increase the number of people looking at D7 who don't have<br>
> to<br>
> install it themselves in order to get more people:<br>
><br>
> 1. Finding bugs<br>
> 2. Finding UI issues<br>
> 3. Helping with documentation<br>
> 4. Getting excited about D7<br>
><br>
> I'm thinking of providing a sandbox on my server. I have found one other<br>
> D7<br>
> sandbox at <a href="http://drupal7.socialconstruction.ca/" target="_blank">http://drupal7.socialconstruction.ca/</a>. The D7 version at that<br>
> site was a month old. In addition, he wasn't letting people into<br>
> administration sections, just letting people create content. He said the<br>
> reason was "for security."<br>
><br>
> I had planned to give people a LOT more access than that. I certainly was<br>
> *not<br>
> *going to give folks FTP or administer users permissions, but otherwise I<br>
> was thinking of giving authenticated users a lot of permissions. I'm<br>
> planning on having the Demonstration Site<br>
> module<<a href="http://drupal.org/project/demo" target="_blank">http://drupal.org/project/demo</a>>running to take snapshots on<br>
> cron (and I wouldn't give people admin<br>
> privileges on that, obviously). So I could set the site back if someone<br>
> comes along and messes things up.<br>
><br>
> I'm not particular worried about cpu capacity or bandwidth. This sandbox<br>
> will not get a lot of traffic.<br>
><br>
> So the question is: is there a security concern that opening up such a<br>
> sandbox would endanger the client accounts I have set up on the same<br>
> dedicated server. The d7sandbox account would share an IP, a hard drive,<br>
> and<br>
> the same server configuration with my client accounts, but nothing else.<br>
> Is<br>
> there a danger with this? Would giving that account a dedicated IP make it<br>
> any safer? Other thoughts???<br>
> Thanks,<br>
><br>
> Shai<br>
> -------------- next part --------------<br>
> An HTML attachment was scrubbed...<br>
> URL:<br>
> <a href="http://lists.drupal.org/pipermail/consulting/attachments/20091102/8e40e9b2/attachment-0001.html" target="_blank">http://lists.drupal.org/pipermail/consulting/attachments/20091102/8e40e9b2/attachment-0001.html</a><br>
><br>
> ------------------------------<br>
><br>
> _______________________________________________<br>
> consulting mailing list<br>
> <a href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
> <a href="http://lists.drupal.org/mailman/listinfo/consulting" target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
><br>
><br>
> End of consulting Digest, Vol 46, Issue 1<br>
> *****************************************<br>
<br>
_______________________________________________<br>
consulting mailing list<br>
<a href="mailto:consulting@drupal.org">consulting@drupal.org</a><br>
<a href="http://lists.drupal.org/mailman/listinfo/consulting" target="_blank">http://lists.drupal.org/mailman/listinfo/consulting</a><br>
</blockquote></div><br>