Security Issues

There are several issues regarding system security that need to be mentioned. Most of these apply to any CGI-based system, and may seem common sense to some of you.

1. Do NOT make any directories above your Manhattan distribution world-accessible via the web!

   In particular, the DocumentRoot setting in your Apache httpd.conf file should NOT point to /home/manhat. (Be particularly careful if you are setting up a Virtual Host.)

   The installation program created directories named courses and users within the manhat-x.x.x distribution directory. You should make sure that it is impossible to access any of the files within these directories from the web.

   The images directory IS world-accessible but only via the ALIAS defined in your httpd.conf file:

   • Visiting http://YOURSERVER.EDU/manhat2-images/ should yield a "Forbidden - you do not have access to /manhat2-images/ on this server" or similar message.

   • Visiting http://YOURSERVER.EDU/manhat2-images/manhattan.gif should show the Manhattan logo - that's good!

2. Understand the implications of having your web server run as Group www

   All of the files within Manhattan have full read/write permission for anyone who is a member of the www group. This is not a problem if the only user (besides root) on the server is manhat

   If there are other user accounts on the system, make sure they are NOT members of the www group. Make sure they have no access to /home/manhat or any directories/files within. Make sure they can't type newgrp www to switch groups.

   If there are any other user accounts on the system, make sure they do NOT have the ability to run their own CGI scripts. Since CGI scripts run as Group www, it is rather easy for a user on the system to write a script to do whatever they'd like to your Manhattan installation.

   If you must give other users on the system the ability to write their own CGI scripts, investigate configuring Apache to use 'suexec' to switch to user manhat whenever it executes a Manhattan program. This could completely eliminate the need for the Apache server to run as any particular group. I've never done this myself, but you can do a search for suexec at http://www.apache.org to learn more. (If you get this working, please contribute documentation!)

   Creative use of "virtual hosts" on your system might also provide a way to protect Manhattan's data from other users on the system. Again, if you have some experience in these matters, please speak up.

3. Use SSL

   Strongly consider using Open SSL or Apache SSL or similar to run a secure server. (Setting USE_HTTPS to '1' in custom.h forces users to connect via SSL.) If you do not run a secure server, username and password information typed in by users is sent as plain text over the Internet. It's fairly easy for someone to pick up this information using freely available software.

   There's a chance you already have SSL running on your Apache installation. Try visiting https://YOURSERVER.EDU/manhat-bin/doorstep after installing Manhattan. (Note the URL starts with https) If you can get to the login screen (perhaps after accepting a site certificate) it's likely you're running SSL.

   Visit http://www.apache-ssl.org/ to learn more about Apache SSL.

4. Consider using 'cookies' and disable Apache's server-status handler

   Several settings within custom.h allow Manhattan to work with cookies. Try turning them on (and as 'secure' cookies if you're using SSL).

   If cookies are NOT used, each URL carries a session id, which can be seen in the "Location:" bar of a user's browser. This makes it possible for determined "shoulder snoopers" to grab access to a user's session. (But you'll find that a session stolen this way can only be used until the rightful owner logs out.)

   If you elect to not use cookies, it is especially important to disable Apache's SERVER STATUS setting - look in your httpd.conf file. If you can visit: http://YOURSERVER.EDU/server-status and get a report, then the whole world knows who's on Manhattan and, if you are not using cookies, they can steal session keys.

5. Encrypt your passwords.

   The default settings in custom.h encrypt all user passwords. While it is possible to turn this option off, it's hard to think of a good reason to not encrypt passwords.

6. General security issues.

   Securing a web server is a big topic, but if Manhattan will be a mission-critical system for your school, you should learn something about it.

   Manhattan code can't protect you if someone gains your root or manhat passwords, or if problems with other software on your system allow outsiders to gain access!