Date: Sat, 23 Nov 1996 15:41:47 -0500 () From: Bradley Dunn <bradley@dunn.org> To: mika ruohotie <bsdisp@shadows.aeon.net> Cc: freebsd-isp@FreeBSD.org Subject: Re: The best way to allow users to access a WWW directory Message-ID: <Pine.WNT.3.95.961123152625.-287541C-100000@swoosh.dunn.org> In-Reply-To: <199611231935.VAA29347@shadows.aeon.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 23 Nov 1996, mika ruohotie wrote: > we're about to start isping in few weeks time. Good luck! > now, the way i've thought to run the webserver is that the users who > want to make their pages themselves indeed go under http://www.soap.bar/~luser > and the pages we make for the customers go under http://www.soap.bar/customer > or just the http://www.customer.bar Sounds fine, but as has been pointed out here before, you are going to want to separate your business customers from your dialup customers. > now, those lusers need to update their pages, and i'm not about to > give out _any_ shell accounts. nada. That's your call. Don't let it give you a false sense of security, though. It will also up your administration overhead, because instead of telling the users to login and do chmod 755, you have to do it yourself. > actually the machine will not even have any telnetd. i'm planning to use > other methods for connecting into it over the network... Be judicious in your use of public-key crypto, it is patented in the US and Canada you know. > anyway, so i have to let them ftp into the machine. BUT, there's few probs > i've realized i will still have... first, does anyone use this with any > success/problems? We find people want shell access. We are a business, we do what the customer wants. > now, how do i prevent the users from uploading pirated stuff there? i _will_ > quota their space usage. i have no way, right? Put a clause in your user agreement that says they can't do it, and do a find for large files with a .zip or .exe extension every once and a while. > and i'm not sure if i've figured out a way to make it that when a lusers > ftp's in the machine they are already in their home directory, but that > should not be nothing more than just trivia... Ftpd takes care of this for you. > also, i believe it's another "trivial" thing to make, when the time comes, > that www.soap.bar/~luser to point another machine from the server's > configurations.... (i'm using either apache or roxen, anyone have an opinion > which one is better?) Apache is better. You can use the Redirect command in the apache config files. > so, my question is, how vulnerable the machine is while it's still allowing > the ftp access from dualup side of the network? (no way i will allow > non local network ips ftp in) Depends on a lot of things. Your goal should be to make it so that people could get root on this machine and not do much more than take down your member web sites. That means everything else should be on a different machine. > or am i being overly paranoid? As an admin you have to be paranoid, nothing wrong with that. You should stay paranoid too, don't be lulled into a false sense of security. BUT...remember what the S in ISP stands for. There is a downward sloping curve that represents the tradeoffs between usability and security. Pick your point on that curve carefully. > oooooh yes. will i get into the troubles with file permissions with my > scheme? (running a script that sets them right every several minutes should > not eat too much cpu, right?) What is "right"? How can a script guess what a user wants the permissions to be? For example, some may have a guestbook that needs to be written to. > and another thing, i am planning to let people have several email accounts > under their address (that being luser.soap.bar, static ip too), am i > digging myself into a any kind of hole with that setup? Having static IPs may prevent you from convincing your upstream to give you more address space. -BD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.WNT.3.95.961123152625.-287541C-100000>