5.1. How to run Caudium as a non-privileged user; How to secure Caudium

Web servers are usually publicly accessible and represent your company, group or entity so there are chances you want to strengthen the security of this service.

As I already mentioned Caudium has a good security for public access behind mostly written in a script language. However Caudium runs as root by default. In the case a non-authorized user gains access to Caudium's process, he might gain root privileges. Consequently,a lot of web servers run as another user with minimal privileges. Doing this may require some work, as you will have to change the owner of all the files Caudium needs access to, so I give step-by-step instructions how to change those permissions:

  1. Find a good user name. This user name should be a normal user with the least privileges. Lots of distributions already have a special account for this. Common names include "www", "www-data", "httpd", "nobody" (Caudium on Debian GNU/Linux runs as www-data:www-data by default). We don't recommend "nobody" though; to quote Theo de Raadt:

    The user "nobody" has historically been doing too much. If you could break into the user "nobody", you could cause great damage.

  2. Change the owner of the files which Caudium needs to write to. These include:

    On a Caudium source install the following command should do the job:

    
# chown -R  www-data.www-data logs/ var/ 
    argument_cache/ bgcache/ configurations/ server/*.pem server
           

    Here is the result:

    
$ ls -l 
    total 32
    drwxr-sr-x    6 www-data www-data     4096 Feb 13 23:17 argument_cache
    drwxr-sr-x    2 www-data www-data     4096 Feb 19 09:27 bgcache
    drwxr-sr-x    2 www-data www-data     4096 Mar  4 22:28 configurations
    drwxr-sr-x    4 root     staff        4096 Feb 13 23:16 local
    drwxr-sr-x    7 www-data www-data     4096 Mar  3 11:50 logs
    drwxr-sr-x    2 root     staff        4096 Feb 13 23:16 readme
    drwxr-sr-x   19 www-data www-data     4096 Feb 19 20:13 server
    drwxr-sr-x    2 www-data www-data     4096 Mar  3 19:28 var
    
    $ id www-data
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
           

    If users are allowed to log on the server, you might also change the permissions of the logs directory.

    If you have a Caudium specific distribution for your system (such as Debian GNU/Linux) check manually.

  3. Don't forget to change the permissions of any script/directory you made and for which Caudium needs to write to in your public filesystem.

  4. Log into the CIF., go in the main Global variables tab, then in Change uid and gid type the uid:gid data you choose. We typed 33:33 in our example. You can also type a login name and group name: www-data:www-data. You can also enable the Change uid and gid permanently option but be sure to read the documentation first.

I will now speak about general security measures you can take if you are very strict about security.

  1. Don't allow users to execute scripts that are part of the server.

    As Caudium is a single process server, it is possible to stop it, restart it, access it, etc. with a user script. This include pike scripts, pike tag, and PHP modules for Caudium.

    If you do want to let your users run scripts, you can always use CGI, or better uniscript (in this case it will be transparent to the user), in order to run a script in a separate process using the fork(2) system call. This will decrease the performance of Caudium but the security has a price, and it is up to you to decide how much you want to pay.

    Note

    Uniscript is a CGI-like wrapper. It will execute programs as if they were CGI scripts but unlike CGI, it does not require you to put these programs under a specific directory like /cgi-bin/. For example each user can have his or her CGI script in his or her directory. Moreover Caudium can execute them with the uid of the owner.

  2. Don't use anything you don't need. Remove any modules you don't need in your virtual server.

  3. Physically restrict access to the CIF.. Don't access it from the Internet if possible. Few people know this, but it is now possible to see SSL connections in clear text with a man-in-the-middle attack. The dsniff software contains all the tools and explanation for this.

  4. Turn off these options:

    Turn off any debug options specific to a module. These options are for developers, and they don't have security in mind when they debug output.
     

    Actually, this is security through obscurity and doesn't increase the security of the server.

     
    --Grendel 

  5. Output Caudium's log files to a separate partition. /var is a good choice for that purpose.

  6. Check the Caudium web site for patches.

  7. If your job relies on your web server security, check the Caudium source.