IIS 7 and Above
Securing Perl for shared hosting
Last post Jul 27, 2011 07:21 PM by HCamper
Jul 13, 2011 11:52 AM|vbhanderi|LINK
I'm trying to setup a shared hosting webserver for my company. I've setup php on iis 7.5 sucessfully for shared hosting. But they also wanted perl available for the sites they host. I have got perl working on the machine, but the problem is that it's very
insecure. I can write a script that can see the whole C drive. I've looked on the internet but can't find anything about securing perl down on a iis setup.
Any tips on securing Perl for shared hosting? Is it possible to have Perl running securely on shared hosting?
I'm using Active Perl using the following setup:
Jul 14, 2011 12:13 AM|steve schofield|LINK
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Jul 14, 2011 09:16 AM|vbhanderi|LINK
The main problem is that all the website should only see the directory of the website. They should be able to see further down the directory tree. I basically don't want each of the websites to be able to see each other and modify other websites.
Php can be secured so that they can only see up to the website, everthing else is hidden. You can also disable the use of exe files etc on the website. I'm just interested in seeing if anyone else has secured perl on iis this way, or if it's even possible
on this kind of setup.
Jul 14, 2011 10:14 AM|steve schofield|LINK
Can you provide steps to show the security issue? I'm curious as I got ActivePerl working on my machine at home and am curious.
EDIT - Do you mean you can write code to recurse and read the c: (system) folder? What you could try to do is create a domain or local account, remove this user from domain users group if a domain account, or don't grant any group perms if a local account.
Then create a local group, add these special accounts, then set your application pool / anonymous access with this special account on each site. Each site would have it's own unique user and couldn't see others folders. You would obviously need to grant
this group access 'read / read execute most likely' to the PERL bits, which could be installed on a separate folder. That is about the only thing I can think of.
Jul 14, 2011 03:21 PM|HCamper|LINK
Hi @ Steve,
The previous comments suggestions and information have been
moved to a post in the PHP Community Forum
Jul 14, 2011 04:33 PM|steve schofield|LINK
Interesting, I've walked through those guides for PHP. Do you run the PERL engine within FASTCGI to gain some of the security features discussed? Are you aware of any PERL based CMS or related popular programs written in PERL that people use. I'm not
that familar as I am with ASP.NET, MVC, or Classic ASP. I'm kicking around using AWSTATS for stats and want to have a better understanding of security. I'll reference the two links you mentioned. I'm curious to here from others 'what the type of apps' people
run on top of PERL.
Jul 14, 2011 05:33 PM|HCamper|LINK
The previous Script Engine information has been moved to
http://forums.iis.net/t/1179997.aspx PHP Community Forum.
Jul 18, 2011 07:31 AM|HCamper|LINK
The Perl Engine along with Application Pools can provide additional security.
A "Scripting Working Guide" has been started in the PHP Community Forum
Jul 27, 2011 02:17 PM|vbhanderi|LINK
Sorry for the late reply, was on holiday in Lanzarote! I've tried setting up Perl with FastCGI but couldn't get it to work. It's running using Isapi at the moment.
If I somehow got it running using FastCGI, would it stop users from destroying/viewing anything outside the site folder? How would that work?
Jul 27, 2011 07:21 PM|HCamper|LINK
To start with using FastCGI Module will not provide additional security.
As Steve said "You can isolate scripts and execution by using folders and Accounts."
The FastCGI does provide limits and value settings for a the script engine as it executes the scripts.
The FastCGI sets the path to the script engine along with recycling the processes for scripts that are running.