[ Previous ] [ Contents ] [ Index ] [ Next ]

Recommended Security Modifications

The actions described in this section are recommended, but not required, to ensure the security of systems running AOLserver.

AOLserver Version

In general, AOLserver versions 3.0 and higher should be used whenever possible, because they are more secure than earlier versions of AOLserver.

Removed Features:

The following features were removed in version 3.0 because they were potential security holes:

New Features:

The following new features were added in Version 3.0 to provide additional security:

Secure chroot Environment

AOLserver should be run in a secure chroot() environment whenever possible.

In Versions 3.0 or higher, AOLserver supports a -r command line option to run AOLserver in a chroot() environment. It provides the following benefits:

To run AOLserver in a chroot() environment, you need only copy a few files and directories to the new root directory. For example, on the SGI platform, you would execute the following commands to create new directories and copy the necessary files to them:

    mkdir $root/dev $root/tmp $root/etc
    chmod 1777 $root/tmp
    cd $root/dev; /dev/MAKEDEV generic usema
    cp /etc/passwd /etc/resolve.conf $root/etc

Then, you can run AOLserver with the -r option as in this example:

    nsd -t nsd.tcl -r $root

For more information about the nsd command line, see the "AOLserver Command Line" section.

Remote Editing of Content

Determine whether any remote editing of content through AOLserver is necessary. In general, all AOLpress-like updating should be disabled. All the code that supported AOLpress was removed in version 3.0.

If remote editing is necessary, it should be done with traditional tools such as ftp, rather than the nsftp module. The nsftp module was removed in version 3.0.

Restricted Content

Determine whether any of the content available to an AOLserver in a chroot() environment would be restricted. In general, AOLserver should be read-only and everything it can read should be world-readable. This allows the AOLserver administrator to ignore the nsperm module altogether.

If any of the content available to AOLserver is restricted, the AOLserver administrator needs to define the appropriate permissions with the nsperm module. The administrator should be very clear which areas are blocked off and know both the URL and METHOD for the restricted areas.

It is preferable to allow the GET method for all URLs and have nothing restricted accessible through AOLserver.

Tcl Library

Limit the available Tcl functions to just those functions that are necessary by that particular AOLserver installation. Purge the Tcl library of unnecessary functions. For example, if the site doesn't send e-mail, remove the ns_sendmail procedures.

Some potentially unsafe commands you may want to consider removing are:

This code example disables the open command:

    static int AddCmds(Tcl_Interp, void *arg)
    {
        Tcl_CreateCommand(interp, "open", BadCmd, NULL, NULL);
        return TCL_OK;
    }
    static int BadCmd(ClientData dummy, Tcl_Interp *interp, int argc, 
char **argv)
    {
        Tcl_AppendResult(interp, "disabled command: ", argv[0], NULL);
        return TCL_ERROR;
    }

Database Access

Database access should be restricted with read-only logins to the server and queries through stored procedures. Stored procedure capabilities were added to AOLserver in Version 3.0. Also, all ad hoc database forms and system catalog query functions were removed in Version 3.0.

For more information about the Tcl functions for stored procedures, see the "ns_db" section of the AOLserver Tcl Developer's Guide. For more information about the C functions for stored procedures, see the "Stored Procedure Functions" section of the AOLserver C Developer's Guide.

Setup Server Interface

Versions prior to 3.0:

The Setup Server is almost always enabled. If possible, disable the Setup Server as described below. Disabling the Setup Server deactivates the ability to add and delete virtual servers, as well as other administrative functions, through web pages.

Disable the Setup Server by setting the Enabled parameter to Off in the nsd.ini configuration file as shown below.

    [ns/setup]
    Port=XXXX
    Password=XXXXXXXXXXXXX
    Enabled=Off

Versions 3.0 or higher:

The Setup Server does not exist. No action is necessary.

Control Port Interface

Versions prior to 3.0:

The control port interface does not exist. No action is necessary.

Versions 3.0 or higher:

The control port interface should not be used unless absolutely necessary. Although it is more secure than the /NS/Admin interface from earlier AOLserver versions because it only allows connections from localhost, it still poses a risk potential.

For more information about the control port interface, see the "AOLserver's Control Port Interface" section.

Configuration File Permissions

Versions prior to 3.0:

The nsd.ini configuration file can be read or overwritten through a remote exploit with the /NS/EvalTcl feature. You can set ownership of the nsd.ini file to root and its file permissions to 600 to protect the file from remote viewing by /NS/EvalTcl.

These file permission settings are more secure, but will disable your ability to use web pages to modify AOLserver configuration. If your requirements for your web server call for frequent configuration changes, you may choose not to implement this modification.

Versions 3.0 or higher:

The /NS/EvalTcl feature does not exist. It is still a good idea, however, to set the ownership of the nsd.tcl configuration file to root and its file permissions to 600.

Top of Page

[ Previous ] [ Contents ] [ Index ] [ Next ]
Copyright © 1998-99 America Online, Inc.