[consulting] Security Around Setting Up a Sandbox

[Shai Gluskin]

Gang,

I'm real excited about Drupal 7. Just listened to the Lullabot podcast and
it's amazing how much has gotten in.

I want to help increase the number of people looking at D7 who don't have to
install it themselves in order to get more people:

   1. Finding bugs
   2. Finding UI issues
   3. Helping with documentation
   4. Getting excited about D7

I'm thinking of providing a sandbox on my server. I have found one other D7
sandbox at http://drupal7.socialconstruction.ca/. The D7 version at that
site was a month old. In addition, he wasn't letting people into
administration sections, just letting people create content. He said the
reason was "for security."

I had planned to give people a LOT more access than that. I certainly was *not
*going to give folks FTP or administer users permissions, but otherwise I
was thinking of giving authenticated users a lot of permissions. I'm
planning on having the Demonstration Site
module<http://drupal.org/project/demo>running to take snapshots on
cron (and I wouldn't give people admin
privileges on that, obviously). So I could set the site back if someone
comes along and messes things up.

I'm not particular worried about cpu capacity or bandwidth. This sandbox
will not get a lot of traffic.

So the question is: is there a security concern that opening up such a
sandbox would endanger the client accounts I have set up on the same
dedicated server. The d7sandbox account would share an IP, a hard drive, and
the same server configuration with my client accounts, but nothing else. Is
there a danger with this? Would giving that account a dedicated IP make it
any safer? Other thoughts???
Thanks,

Shai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/consulting/attachments/20091102/8e40e9b2/attachment.html