[consulting] consulting Digest, Vol 46, Issue 1
DrupalExpert Amit
drupalexpertamit at gmail.com
Tue Nov 3 12:26:50 UTC 2009
Some notes on the security aspects while giving admin rights to the Drupal
sandbox installation:
1. Allowing someone php execution rights (even through drupal interface),
essentially means giving away full file/folder access to the hosting account
on which the sandbox runs. Hackers can easily "fetch" their own php files on
the server and even setup a browserbased fileftp interface for gaining full
control.
2. If your hosting provider/server admin does not use secure php
configuration, then access to a single hosting account or installation would
mean access to almost all accounts on that hard disk.
3. Also trouble may be caused by spammers using the sandbox to use it as
their own spammail relayers, which can get your server IP blacklisted
causing inconvenience to clients using the server for their projects
But then these are extreme scenarios, if you are opening the sandbox for
your existing and prospective clients only, then above concerns may be
exaggerated.
Regards,
Amit
----- Original Message -----
>
> 1. Security Around Setting Up a Sandbox (Shai Gluskin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 2 Nov 2009 13:09:08 -0500
> From: Shai Gluskin <shai at content2zero.com>
> Subject: [consulting] Security Around Setting Up a Sandbox
> To: "A list for Drupal consultants and Drupal service/hosting
> providers" <consulting at drupal.org>
> Message-ID:
> <9f68efb70911021009t54d25065nbca92ada2cde9904 at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gang,
>
> I'm real excited about Drupal 7. Just listened to the Lullabot podcast and
> it's amazing how much has gotten in.
>
> I want to help increase the number of people looking at D7 who don't have
> to
> install it themselves in order to get more people:
>
> 1. Finding bugs
> 2. Finding UI issues
> 3. Helping with documentation
> 4. Getting excited about D7
>
> I'm thinking of providing a sandbox on my server. I have found one other
> D7
> sandbox at http://drupal7.socialconstruction.ca/. The D7 version at that
> site was a month old. In addition, he wasn't letting people into
> administration sections, just letting people create content. He said the
> reason was "for security."
>
> I had planned to give people a LOT more access than that. I certainly was
> *not
> *going to give folks FTP or administer users permissions, but otherwise I
> was thinking of giving authenticated users a lot of permissions. I'm
> planning on having the Demonstration Site
> module<http://drupal.org/project/demo>running to take snapshots on
> cron (and I wouldn't give people admin
> privileges on that, obviously). So I could set the site back if someone
> comes along and messes things up.
>
> I'm not particular worried about cpu capacity or bandwidth. This sandbox
> will not get a lot of traffic.
>
> So the question is: is there a security concern that opening up such a
> sandbox would endanger the client accounts I have set up on the same
> dedicated server. The d7sandbox account would share an IP, a hard drive,
> and
> the same server configuration with my client accounts, but nothing else.
> Is
> there a danger with this? Would giving that account a dedicated IP make it
> any safer? Other thoughts???
> Thanks,
>
> Shai
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> http://lists.drupal.org/pipermail/consulting/attachments/20091102/8e40e9b2/attachment-0001.html
>
> ------------------------------
>
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>
>
> End of consulting Digest, Vol 46, Issue 1
> *****************************************
More information about the consulting
mailing list