[consulting] Security Around Setting Up a Sandbox

Shai Gluskin shai at content2zero.com
Tue Nov 3 13:57:58 UTC 2009


Amit and all,

Amit, thanks for replying.

Re #3, "Spammers using the site as a relay." Can you or someone explain how
that might be done?

Re: #1, If I have "use php module" permission turned off, as well as
administer users (which allows people to admin permissions), shouldn't that
take away the possibility of someone executing php?

Re #2: My hosting provider does use suPHP, a security extension for PHP that
I think you are talking about.



On Tue, Nov 3, 2009 at 7:26 AM, DrupalExpert Amit <
drupalexpertamit at gmail.com> wrote:

>
> Some notes on the security aspects while giving admin rights to the Drupal
> sandbox installation:
>
> 1. Allowing someone php execution rights (even through drupal interface),
> essentially means giving away full file/folder access to the hosting
> account
> on which the sandbox runs. Hackers can easily "fetch" their own php files
> on
> the server and even setup a browserbased fileftp interface for gaining full
> control.
> 2. If your hosting provider/server admin does not use secure php
> configuration, then access to a single hosting account or installation
> would
> mean access to almost all accounts on that hard disk.
> 3. Also trouble may be caused by spammers using the sandbox to use it as
> their own spammail relayers, which can get your server IP blacklisted
> causing inconvenience to clients using the server for their projects
>
> But then these are extreme scenarios, if you are opening the sandbox for
> your existing and prospective clients only, then above concerns may be
> exaggerated.
>
> Regards,
> Amit
>
> ----- Original Message -----
> >
> >   1. Security Around Setting Up a Sandbox (Shai Gluskin)
> >
> >
> > ----------------------------------------------------------------------
> >
> > Message: 1
> > Date: Mon, 2 Nov 2009 13:09:08 -0500
> > From: Shai Gluskin <shai at content2zero.com>
> > Subject: [consulting] Security Around Setting Up a Sandbox
> > To: "A list for Drupal consultants and Drupal service/hosting
> > providers" <consulting at drupal.org>
> > Message-ID:
> > <9f68efb70911021009t54d25065nbca92ada2cde9904 at mail.gmail.com>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > Gang,
> >
> > I'm real excited about Drupal 7. Just listened to the Lullabot podcast
> and
> > it's amazing how much has gotten in.
> >
> > I want to help increase the number of people looking at D7 who don't have
> > to
> > install it themselves in order to get more people:
> >
> >   1. Finding bugs
> >   2. Finding UI issues
> >   3. Helping with documentation
> >   4. Getting excited about D7
> >
> > I'm thinking of providing a sandbox on my server. I have found one other
> > D7
> > sandbox at http://drupal7.socialconstruction.ca/. The D7 version at that
> > site was a month old. In addition, he wasn't letting people into
> > administration sections, just letting people create content. He said the
> > reason was "for security."
> >
> > I had planned to give people a LOT more access than that. I certainly was
> > *not
> > *going to give folks FTP or administer users permissions, but otherwise I
> > was thinking of giving authenticated users a lot of permissions. I'm
> > planning on having the Demonstration Site
> > module<http://drupal.org/project/demo>running to take snapshots on
> > cron (and I wouldn't give people admin
> > privileges on that, obviously). So I could set the site back if someone
> > comes along and messes things up.
> >
> > I'm not particular worried about cpu capacity or bandwidth. This sandbox
> > will not get a lot of traffic.
> >
> > So the question is: is there a security concern that opening up such a
> > sandbox would endanger the client accounts I have set up on the same
> > dedicated server. The d7sandbox account would share an IP, a hard drive,
> > and
> > the same server configuration with my client accounts, but nothing else.
> > Is
> > there a danger with this? Would giving that account a dedicated IP make
> it
> > any safer? Other thoughts???
> > Thanks,
> >
> > Shai
> > -------------- next part --------------
> > An HTML attachment was scrubbed...
> > URL:
> >
> http://lists.drupal.org/pipermail/consulting/attachments/20091102/8e40e9b2/attachment-0001.html
> >
> > ------------------------------
> >
> > _______________________________________________
> > consulting mailing list
> > consulting at drupal.org
> > http://lists.drupal.org/mailman/listinfo/consulting
> >
> >
> > End of consulting Digest, Vol 46, Issue 1
> > *****************************************
>
> _______________________________________________
> consulting mailing list
> consulting at drupal.org
> http://lists.drupal.org/mailman/listinfo/consulting
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/consulting/attachments/20091103/26de7ec2/attachment.html 


More information about the consulting mailing list