We are excited to announce that the IIS.NET Forums are moving to the new Microsoft Q&A experience. Learn more >

Securing Perl for shared hosting [Answered]RSS

9 replies

Last post Jul 27, 2011 02:21 PM by HCamper

  • Securing Perl for shared hosting

    Jul 13, 2011 06:52 AM|vbhanderi|LINK

    Hi there,

     I'm trying to setup a shared hosting webserver for my company. I've setup php on iis 7.5 sucessfully for shared hosting. But they also wanted perl available for the sites they host. I have got perl working on the machine, but the problem is that it's very insecure. I can write a script that can see the whole C drive. I've looked on the internet but can't find anything about securing perl down on a iis setup.

    Any tips on securing Perl for shared hosting? Is it possible to have Perl running securely on shared hosting?

     I'm using Active Perl using the following setup: http://www.websitepanel.net/kb/installing-and-running-active-perl-runtime-as-isapi-on-microsoft-iis-7.0

    Thanks

  • Re: Securing Perl for shared hosting

    Jul 13, 2011 07:13 PM|steve schofield|LINK

    forgive me for not knowing, the how-to doesn't expose any security risks except installing on the C: drive, I wouldn't put on the same drive as the OS.    Can you explain further the security risk.

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Securing Perl for shared hosting

    Jul 14, 2011 04:16 AM|vbhanderi|LINK

     Hi Steve,

    The main problem is that all the website should only see the directory of the website. They should be able to see further down the directory tree. I basically don't want each of the websites to be able to see each other and modify other websites.

    Php can be secured so that they can only see up to the website, everthing else is hidden. You can also disable the use of exe files etc on the website. I'm just interested in seeing if anyone else has secured perl on iis this way, or if it's even possible on this kind of setup.

  • Re: Securing Perl for shared hosting

    Jul 14, 2011 05:14 AM|steve schofield|LINK

    Can you provide steps to show the security issue?  I'm curious as I got ActivePerl working on my machine at home and am curious. 

    EDIT - Do you mean you can write code to recurse and read the c: (system) folder?  What you could try to do is create a domain or local account, remove this user from domain users group if a domain account, or don't grant any group perms if a local account.  Then create a local group, add these special accounts, then set your application pool / anonymous access with this special account on each site.  Each site would have it's own unique user and couldn't see others folders.  You would obviously need to grant this group access 'read / read execute most likely' to the PERL bits, which could be installed on a separate folder.  That is about the only thing I can think of.  

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Securing Perl for shared hosting

    Jul 14, 2011 10:21 AM|HCamper|LINK

    Hi @ Steve,

    The previous comments suggestions and information have been

    moved to a post in the PHP Community Forum http://forums.iis.net/t/1179997.aspx

    Martin

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Securing Perl for shared hosting

    Jul 14, 2011 11:33 AM|steve schofield|LINK

    Interesting, I've walked through those guides for PHP.     Do you run the PERL engine within FASTCGI to gain some of the security features discussed?  Are you aware of any PERL based CMS or related popular programs written in PERL that people use.  I'm not that familar as I am with ASP.NET, MVC, or Classic ASP.  I'm kicking around using AWSTATS for stats and want to have a better understanding of security.  I'll reference the two links you mentioned.  I'm curious to here from others 'what the type of apps' people run on top of PERL. 

    Steve Schofield
    Windows Server MVP - IIS
    http://iislogs.com/steveschofield
    http://www.IISLogs.com
    Log archival solution
    Install, Configure, Forget

  • Re: Securing Perl for shared hosting

    Jul 14, 2011 12:33 PM|HCamper|LINK

    Hi @ Steve,

    The previous Script Engine information has been moved to http://forums.iis.net/t/1179997.aspx  PHP Community Forum.

    Martin

     

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Securing Perl for shared hosting

    Jul 18, 2011 02:31 AM|HCamper|LINK

    Hi @ Steve,

    The Perl Engine along with Application Pools can provide additional security.

    A "Scripting Working Guide" has been started in the PHP Community Forum http://forums.iis.net/t/1179997.aspx .

    Martin

     

    Windows and Linux work Together IT-Pros
    Community Member Award 2011
  • Re: Securing Perl for shared hosting

    Jul 27, 2011 09:17 AM|vbhanderi|LINK

    Hi all,

     Sorry for the late reply, was on holiday in Lanzarote! I've tried setting up Perl with FastCGI but couldn't get it to work. It's running using Isapi at the moment.

     If I somehow got it running using FastCGI, would it stop users from destroying/viewing anything outside the site folder? How would that work?

  • Re: Securing Perl for shared hosting

    Jul 27, 2011 02:21 PM|HCamper|LINK

    Hi,

    To start with using FastCGI Module will not provide additional security.

    As Steve said "You can isolate scripts and execution by using folders and Accounts."

    The FastCGI does provide limits and value settings for a the script engine as it executes the scripts.

    The FastCGI sets the path to the script engine along with recycling the processes for scripts that are running.

    HTH

    Martin

     

     

     

     

     

      

    Windows and Linux work Together IT-Pros
    Community Member Award 2011