Wednesday, October 21, 2009

Chapter 14. Bulletproofing Servers
























Network
Programming with Perl
By
Lincoln D. Stein
Slots : 1
Table
of Contents
Part 3:  Developing TCP
Client/Server Systems






    Content







Chapter 14. Bulletproofing
Servers


In Chapter
10 we developed subroutines that perform some of the
startup time tasks that are common among production servers in
the UNIX environment, including disconnecting from the
controlling terminal, autobackgrounding, and writing a copy of
the server's PID to a run-time file. Together, these help to
make network servers more manageable.


Because of their position as a gateway to
entry to the host, network daemons are particularly prone to
opening security holes. There is much more that we can do to
make network daemons bullet-proof. In addition to the
techniques already discussed, a production server often
implements one or more of the following useful
features:




  1. Log status messages to the system error
    log.



  2. Change its UID to that of an unprivileged
    user.



  3. Activate taint checking.



  4. Use the chroot() call to isolate
    itself in a safe subdirectory.



  5. Handle the HUP signal by
    reinitializing itself.


We cover these techniques in this chapter and
talk more generally about security problems with network
daemons and how to avoid introducing them into your
scripts.


Most of the techniques discussed here are
UNIX-specific. However, users of the Windows and Macintosh
ports should read the subsection Direct Logging to a File in
the first part of this chapter and the Taint Mode section,
which discusses security issues that are common to all
platforms.









       




    Top

    No comments: