Securing Perl for shared hosting

Question

User-1861696885 posted

Hi there,

 I'm trying to setup a shared hosting webserver for my company. I've setup php on iis 7.5 sucessfully for shared hosting. But they also wanted perl available for the sites they host. I have got perl working on the machine, but the problem is that it's very insecure. I can write a script that can see the whole C drive. I've looked on the internet but can't find anything about securing perl down on a iis setup.

Any tips on securing Perl for shared hosting? Is it possible to have Perl running securely on shared hosting?

 I'm using Active Perl using the following setup: http://www.websitepanel.net/kb/installing-and-running-active-perl-runtime-as-isapi-on-microsoft-iis-7.0

Thanks

Answer 1

User1073881637 posted
forgive me for not knowing, the how-to doesn't expose any security risks except installing on the C: drive, I wouldn't put on the same drive as the OS.    Can you explain further the security risk.

Answer 2

User-1861696885 posted

 Hi Steve,

The main problem is that all the website should only see the directory of the website. They should be able to see further down the directory tree. I basically don't want each of the websites to be able to see each other and modify other websites.

Php can be secured so that they can only see up to the website, everthing else is hidden. You can also disable the use of exe files etc on the website. I'm just interested in seeing if anyone else has secured perl on iis this way, or if it's even possible on this kind of setup.

Answer 3

User1073881637 posted

Can you provide steps to show the security issue?  I'm curious as I got ActivePerl working on my machine at home and am curious. 

EDIT - Do you mean you can write code to recurse and read the c: (system) folder?  What you could try to do is create a domain or local account, remove this user from domain users group if a domain account, or don't grant any group perms if a local account.  Then create a local group, add these special accounts, then set your application pool / anonymous access with this special account on each site.  Each site would have it's own unique user and couldn't see others folders.  You would obviously need to grant this group access 'read / read execute most likely' to the PERL bits, which could be installed on a separate folder.  That is about the only thing I can think of.  

Answer 4

User-1672167363 posted

Hi @ Steve,

The previous comments suggestions and information have been

moved to a post in the PHP Community Forum http://forums.iis.net/t/1179997.aspx

Martin

Answer 5

User1073881637 posted

Interesting, I've walked through those guides for PHP.     Do you run the PERL engine within FASTCGI to gain some of the security features discussed?  Are you aware of any PERL based CMS or related popular programs written in PERL that people use.  I'm not that familar as I am with ASP.NET, MVC, or Classic ASP.  I'm kicking around using AWSTATS for stats and want to have a better understanding of security.  I'll reference the two links you mentioned.  I'm curious to here from others 'what the type of apps' people run on top of PERL. 

Answer 6

User-1672167363 posted

Hi @ Steve,

The previous Script Engine information has been moved to http://forums.iis.net/t/1179997.aspx  PHP Community Forum.

Martin

 

 

Answer 7

User-1672167363 posted

Hi @ Steve,

The Perl Engine along with Application Pools can provide additional security.

A "Scripting Working Guide" has been started in the PHP Community Forum http://forums.iis.net/t/1179997.aspx .

Martin

 

Answer 8

User-1861696885 posted

Hi all,

 Sorry for the late reply, was on holiday in Lanzarote! I've tried setting up Perl with FastCGI but couldn't get it to work. It's running using Isapi at the moment.

 If I somehow got it running using FastCGI, would it stop users from destroying/viewing anything outside the site folder? How would that work?

Answer 9

User-1672167363 posted

Hi,

To start with using FastCGI Module will not provide additional security.

As Steve said "You can isolate scripts and execution by using folders and Accounts."

The FastCGI does provide limits and value settings for a the script engine as it executes the scripts.

The FastCGI sets the path to the script engine along with recycling the processes for scripts that are running.

HTH

Martin