I'm trying to setup a shared hosting webserver for my company. I've setup php on iis 7.5 sucessfully for shared hosting. But they also wanted perl available for the sites they host. I have got perl working on the machine, but the problem is that it's very
insecure. I can write a script that can see the whole C drive. I've looked on the internet but can't find anything about securing perl down on a iis setup.
Any tips on securing Perl for shared hosting? Is it possible to have Perl running securely on shared hosting?
forgive me for not knowing, the how-to doesn't expose any security risks except installing on the C: drive, I wouldn't put on the same drive as the OS. Can you explain further the security risk.
The main problem is that all the website should only see the directory of the website. They should be able to see further down the directory tree. I basically don't want each of the websites to be able to see each other and modify other websites.
Php can be secured so that they can only see up to the website, everthing else is hidden. You can also disable the use of exe files etc on the website. I'm just interested in seeing if anyone else has secured perl on iis this way, or if it's even possible
on this kind of setup.
Can you provide steps to show the security issue? I'm curious as I got ActivePerl working on my machine at home and am curious.
EDIT - Do you mean you can write code to recurse and read the c: (system) folder? What you could try to do is create a domain or local account, remove this user from domain users group if a domain account, or don't grant any group perms if a local account.
Then create a local group, add these special accounts, then set your application pool / anonymous access with this special account on each site. Each site would have it's own unique user and couldn't see others folders. You would obviously need to grant
this group access 'read / read execute most likely' to the PERL bits, which could be installed on a separate folder. That is about the only thing I can think of.
Interesting, I've walked through those guides for PHP. Do you run the PERL engine within FASTCGI to gain some of the security features discussed? Are you aware of any PERL based CMS or related popular programs written in PERL that people use. I'm not
that familar as I am with ASP.NET, MVC, or Classic ASP. I'm kicking around using AWSTATS for stats and want to have a better understanding of security. I'll reference the two links you mentioned. I'm curious to here from others 'what the type of apps' people
run on top of PERL.
Sorry for the late reply, was on holiday in Lanzarote! I've tried setting up Perl with FastCGI but couldn't get it to work. It's running using Isapi at the moment.
If I somehow got it running using FastCGI, would it stop users from destroying/viewing anything outside the site folder? How would that work?
vbhanderi
8 Posts
Securing Perl for shared hosting
Jul 13, 2011 10:52 AM|LINK
Hi there,
I'm trying to setup a shared hosting webserver for my company. I've setup php on iis 7.5 sucessfully for shared hosting. But they also wanted perl available for the sites they host. I have got perl working on the machine, but the problem is that it's very insecure. I can write a script that can see the whole C drive. I've looked on the internet but can't find anything about securing perl down on a iis setup.
Any tips on securing Perl for shared hosting? Is it possible to have Perl running securely on shared hosting?
I'm using Active Perl using the following setup: http://www.websitepanel.net/kb/installing-and-running-active-perl-runtime-as-isapi-on-microsoft-iis-7.0
Thanks
steve schofi...
5682 Posts
MVP
Moderator
Re: Securing Perl for shared hosting
Jul 13, 2011 11:13 PM|LINK
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
vbhanderi
8 Posts
Re: Securing Perl for shared hosting
Jul 14, 2011 08:16 AM|LINK
Hi Steve,
The main problem is that all the website should only see the directory of the website. They should be able to see further down the directory tree. I basically don't want each of the websites to be able to see each other and modify other websites.
Php can be secured so that they can only see up to the website, everthing else is hidden. You can also disable the use of exe files etc on the website. I'm just interested in seeing if anyone else has secured perl on iis this way, or if it's even possible on this kind of setup.
steve schofi...
5682 Posts
MVP
Moderator
Re: Securing Perl for shared hosting
Jul 14, 2011 09:14 AM|LINK
Can you provide steps to show the security issue? I'm curious as I got ActivePerl working on my machine at home and am curious.
EDIT - Do you mean you can write code to recurse and read the c: (system) folder? What you could try to do is create a domain or local account, remove this user from domain users group if a domain account, or don't grant any group perms if a local account. Then create a local group, add these special accounts, then set your application pool / anonymous access with this special account on each site. Each site would have it's own unique user and couldn't see others folders. You would obviously need to grant this group access 'read / read execute most likely' to the PERL bits, which could be installed on a separate folder. That is about the only thing I can think of.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
HCamper
8048 Posts
Re: Securing Perl for shared hosting
Jul 14, 2011 02:21 PM|LINK
Hi @ Steve,
The previous comments suggestions and information have been
moved to a post in the PHP Community Forum http://forums.iis.net/t/1179997.aspx
Martin
Community Member Award 2011
steve schofi...
5682 Posts
MVP
Moderator
Re: Securing Perl for shared hosting
Jul 14, 2011 03:33 PM|LINK
Interesting, I've walked through those guides for PHP. Do you run the PERL engine within FASTCGI to gain some of the security features discussed? Are you aware of any PERL based CMS or related popular programs written in PERL that people use. I'm not that familar as I am with ASP.NET, MVC, or Classic ASP. I'm kicking around using AWSTATS for stats and want to have a better understanding of security. I'll reference the two links you mentioned. I'm curious to here from others 'what the type of apps' people run on top of PERL.
Steve Schofield
Windows Server MVP - IIS
http://iislogs.com/steveschofield
http://www.IISLogs.com
Log archival solution
Install, Configure, Forget
HCamper
8048 Posts
Re: Securing Perl for shared hosting
Jul 14, 2011 04:33 PM|LINK
Hi @ Steve,
The previous Script Engine information has been moved to http://forums.iis.net/t/1179997.aspx PHP Community Forum.
Martin
Community Member Award 2011
HCamper
8048 Posts
Re: Securing Perl for shared hosting
Jul 18, 2011 06:31 AM|LINK
Hi @ Steve,
The Perl Engine along with Application Pools can provide additional security.
A "Scripting Working Guide" has been started in the PHP Community Forum http://forums.iis.net/t/1179997.aspx .
Martin
Community Member Award 2011
vbhanderi
8 Posts
Re: Securing Perl for shared hosting
Jul 27, 2011 01:17 PM|LINK
Hi all,
Sorry for the late reply, was on holiday in Lanzarote! I've tried setting up Perl with FastCGI but couldn't get it to work. It's running using Isapi at the moment.
If I somehow got it running using FastCGI, would it stop users from destroying/viewing anything outside the site folder? How would that work?
HCamper
8048 Posts
Re: Securing Perl for shared hosting
Jul 27, 2011 06:21 PM|LINK
Hi,
To start with using FastCGI Module will not provide additional security.
As Steve said "You can isolate scripts and execution by using folders and Accounts."
The FastCGI does provide limits and value settings for a the script engine as it executes the scripts.
The FastCGI sets the path to the script engine along with recycling the processes for scripts that are running.
HTH
Martin
Community Member Award 2011