Lasso 9 Shared Hosting Security

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Lasso 9 Shared Hosting Security

Black Night Lists
Hi All,

I was a bit perplexed about how Lasso 9 was to be configured and since there are no docs I am still struggling to comprehend a couple of things with regards to Lasso 9 and shared hosting. A released product with no documentation?? /Sigh!

For example in Lasso 8.5 I have it configured as follows

Default site - runs most non-database driven Lasso sites
Site 1 - Runs one customers lasso sites
Site 2 - Runs a different customers lasso sites
Site 3 - Runs another customer that I want on their own site in case of crashing.
Site 4 - Runs a group of different sites that datasources are managed by users and groups keeping everything secure from other customers
Etc...

Now, in Lasso 9 I could not see a way of doing that. So I started by adding a couple of MySQL hosts and databases etc but then hit a problem with regards to databases and tables so dropped in some code into the web directory of my dev machine.

<?lasso
database_names;
    '<b>'database_nameitem;'</b><br>';
        Database_TableNames: (Database_NameItem);
        '>';Database_TableNameItem;'<br>';
        /Database_TableNames;
/Database_Names
?>

Viewing the output of that returned a list of the MySQL databases I had added along with the contents of the SQLiteDBs which quite surprised me. From there I could grab the datasources, their usernames and passwords none of which is protected and whatever else is stored in there (basically everything you can view using lasso9/Admin/dbbrowse). So I logged a support request with Lassosoft as I was concerned about this. Not only that, is that the MySQL datasources are shared amongst everyone so I figured I have something set up wrong.

To me this data should be secure, several of my clients are developers themselves and although i doubt they would, they could be malicious with this information and it would be irresponsible of me to leave it this way anyway!

Lassosoft have replied to me stating that I should not be running more than one customer out of a single Lasso 9 root as shown below.

Begin forwarded message:

> We have a very liberal license to run multiple Lasso instances on one box (multi-sites). They shouldn't be running more than one customer out of a single Lasso 9 root. If they're not doing that then I don't see the problem. The most someone can do is view the data which they themselves entered in the first place.
>
> I don't see an issue here, but I'm sure there are some things we can straighten out in the docs.

So my question is how do I set a "Lasso 9 root" with different datasources which are secure from each other? I cannot see this in the Admin, nor in the docs - meh what docs. Does this mean I am running several instances of Lasso 9 on my server and if so how or is it just a config change in Apache site conf files? I just cannot fathom this and although Lassosoft do reply to support emails it seems to take them forever (even with LPA).

Maybe I am overreacting and it's not that serious and that I am just not setting it up right (though this is just a standard installation and it does seem less secure than 8.5 to me)


Regards

Stephen Thirlwell
Black Night Software
Lasso Hosting and Development
http://www.ukmachosting.com







--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Ke Carlton-3
It's possible to do - but requires some what of a different setup:

http://old.nabble.com/L9-single-site-vs-LP8.5-multi-site-td27571022.html

Am somewhat shocked by the response - perhaps there was some
miscommunication somewhere along the line?

Ke

On 22 February 2010 17:27, Black Night Lists <[hidden email]> wrote:

> Hi All,
>
> I was a bit perplexed about how Lasso 9 was to be configured and since there are no docs I am still struggling to comprehend a couple of things with regards to Lasso 9 and shared hosting. A released product with no documentation?? /Sigh!
>
> For example in Lasso 8.5 I have it configured as follows
>
> Default site - runs most non-database driven Lasso sites
> Site 1 - Runs one customers lasso sites
> Site 2 - Runs a different customers lasso sites
> Site 3 - Runs another customer that I want on their own site in case of crashing.
> Site 4 - Runs a group of different sites that datasources are managed by users and groups keeping everything secure from other customers
> Etc...
>
> Now, in Lasso 9 I could not see a way of doing that. So I started by adding a couple of MySQL hosts and databases etc but then hit a problem with regards to databases and tables so dropped in some code into the web directory of my dev machine.
>
> <?lasso
> database_names;
>    '<b>'database_nameitem;'</b><br>';
>        Database_TableNames: (Database_NameItem);
>        '>';Database_TableNameItem;'<br>';
>        /Database_TableNames;
> /Database_Names
> ?>
>
> Viewing the output of that returned a list of the MySQL databases I had added along with the contents of the SQLiteDBs which quite surprised me. From there I could grab the datasources, their usernames and passwords none of which is protected and whatever else is stored in there (basically everything you can view using lasso9/Admin/dbbrowse). So I logged a support request with Lassosoft as I was concerned about this. Not only that, is that the MySQL datasources are shared amongst everyone so I figured I have something set up wrong.
>
> To me this data should be secure, several of my clients are developers themselves and although i doubt they would, they could be malicious with this information and it would be irresponsible of me to leave it this way anyway!
>
> Lassosoft have replied to me stating that I should not be running more than one customer out of a single Lasso 9 root as shown below.
>
> Begin forwarded message:
>
>> We have a very liberal license to run multiple Lasso instances on one box (multi-sites). They shouldn't be running more than one customer out of a single Lasso 9 root. If they're not doing that then I don't see the problem. The most someone can do is view the data which they themselves entered in the first place.
>>
>> I don't see an issue here, but I'm sure there are some things we can straighten out in the docs.
>
> So my question is how do I set a "Lasso 9 root" with different datasources which are secure from each other? I cannot see this in the Admin, nor in the docs - meh what docs. Does this mean I am running several instances of Lasso 9 on my server and if so how or is it just a config change in Apache site conf files? I just cannot fathom this and although Lassosoft do reply to support emails it seems to take them forever (even with LPA).
>
> Maybe I am overreacting and it's not that serious and that I am just not setting it up right (though this is just a standard installation and it does seem less secure than 8.5 to me)
>
>
> Regards
>
> Stephen Thirlwell
> Black Night Software
> Lasso Hosting and Development
> http://www.ukmachosting.com
>
>
>
>
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Black Night Lists

On 22 Feb 2010, at 17:36, Ke Carlton wrote:

> It's possible to do - but requires some what of a different setup:
>
> http://old.nabble.com/L9-single-site-vs-LP8.5-multi-site-td27571022.html
>
> Am somewhat shocked by the response - perhaps there was some
> miscommunication somewhere along the line?

Thanks will check that out now :)

Regards

Stephen Thirlwell
Black Night Software
Lasso Hosting and Development
http://www.ukmachosting.com







--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Marc Pinnell-3
In reply to this post by Ke Carlton-3
So in reading that (most of which I don't fully understand), if I followed that procedure and setup 6 sites (like I have now under LP8.5), and L9.1 came out I would have to update L9 6x's? Does that sound a little crazy to anyone but me?

Marc


On Feb 22, 2010, at 9:36 AM, Ke Carlton wrote:

> It's possible to do - but requires some what of a different setup:
>
> http://old.nabble.com/L9-single-site-vs-LP8.5-multi-site-td27571022.html
>
> Am somewhat shocked by the response - perhaps there was some
> miscommunication somewhere along the line?
>
> Ke
>
> On 22 February 2010 17:27, Black Night Lists <[hidden email]> wrote:
>> Hi All,
>>
>> I was a bit perplexed about how Lasso 9 was to be configured and since there are no docs I am still struggling to comprehend a couple of things with regards to Lasso 9 and shared hosting. A released product with no documentation?? /Sigh!
>>
>> For example in Lasso 8.5 I have it configured as follows
>>
>> Default site - runs most non-database driven Lasso sites
>> Site 1 - Runs one customers lasso sites
>> Site 2 - Runs a different customers lasso sites
>> Site 3 - Runs another customer that I want on their own site in case of crashing.
>> Site 4 - Runs a group of different sites that datasources are managed by users and groups keeping everything secure from other customers
>> Etc...
>>
>> Now, in Lasso 9 I could not see a way of doing that. So I started by adding a couple of MySQL hosts and databases etc but then hit a problem with regards to databases and tables so dropped in some code into the web directory of my dev machine.
>>
>> <?lasso
>> database_names;
>>    '<b>'database_nameitem;'</b><br>';
>>        Database_TableNames: (Database_NameItem);
>>        '>';Database_TableNameItem;'<br>';
>>        /Database_TableNames;
>> /Database_Names
>> ?>
>>
>> Viewing the output of that returned a list of the MySQL databases I had added along with the contents of the SQLiteDBs which quite surprised me. From there I could grab the datasources, their usernames and passwords none of which is protected and whatever else is stored in there (basically everything you can view using lasso9/Admin/dbbrowse). So I logged a support request with Lassosoft as I was concerned about this. Not only that, is that the MySQL datasources are shared amongst everyone so I figured I have something set up wrong.
>>
>> To me this data should be secure, several of my clients are developers themselves and although i doubt they would, they could be malicious with this information and it would be irresponsible of me to leave it this way anyway!
>>
>> Lassosoft have replied to me stating that I should not be running more than one customer out of a single Lasso 9 root as shown below.
>>
>> Begin forwarded message:
>>
>>> We have a very liberal license to run multiple Lasso instances on one box (multi-sites). They shouldn't be running more than one customer out of a single Lasso 9 root. If they're not doing that then I don't see the problem. The most someone can do is view the data which they themselves entered in the first place.
>>>
>>> I don't see an issue here, but I'm sure there are some things we can straighten out in the docs.
>>
>> So my question is how do I set a "Lasso 9 root" with different datasources which are secure from each other? I cannot see this in the Admin, nor in the docs - meh what docs. Does this mean I am running several instances of Lasso 9 on my server and if so how or is it just a config change in Apache site conf files? I just cannot fathom this and although Lassosoft do reply to support emails it seems to take them forever (even with LPA).
>>
>> Maybe I am overreacting and it's not that serious and that I am just not setting it up right (though this is just a standard installation and it does seem less secure than 8.5 to me)
>>
>>
>> Regards
>>
>> Stephen Thirlwell
>> Black Night Software
>> Lasso Hosting and Development
>> http://www.ukmachosting.com
>>
>>
>>
>>
>>
>>
>>
>> --
>> This list is a free service of LassoSoft: http://www.LassoSoft.com/
>> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
>> Manage your subscription: http://www.ListSearch.com/Lasso/
>>
>>
>>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>

--
Marc Pinnell
1027 Design
PO Box 990872
Redding, CA 96099-0872
530.941.4706
fax: 866.232.5300
www.1027Design.com




--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Black Night Lists

On 22 Feb 2010, at 18:35, Marc Pinnell wrote:

> So in reading that (most of which I don't fully understand), if I followed that procedure and setup 6 sites (like I have now under LP8.5), and L9.1 came out I would have to update L9 6x's? Does that sound a little crazy to anyone but me?

I'm am totally not happy with the way that the "sites" now need to operate and yes it sounds crazy to me. It's like a massive step backwards.

Say I want to host 25 separate websites with different datasources I would need to have 25 Lasso Roots? Apart from being an administration nightmare would this not cause a speed issue anyway?


Regards

Stephen Thirlwell
Black Night Software
Lasso Hosting and Development
http://www.ukmachosting.com







--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

decorior
I have a related questions.

1). Many of the sites we have point to the same data source. Is this  
affected in any way?It is easy to setup right now. Having to restart  
Apache each time we change this would be a problem.

2). It was mentioned that the data sources are now visible. Has anyone  
checked with this relative to PCI compliance. Generally, it sniffs out  
anything data related that may be accessible.

3). We generally used the default setup from the admin like many I  
suspect. In more recent months I have seen that many ("advanced?)  
users on the list are tweaking Apache much more. Is this true for  
everyone these days. Generally, the http files are tweaked as part of  
system admin and not part of lasso admin. That is, our system admin  
wants to know nothing about Lasso or as little as possible.

Deco


On Feb 22, 2010, at 12:09 PM, Black Night Lists wrote:

>
> On 22 Feb 2010, at 18:35, Marc Pinnell wrote:
>
>> So in reading that (most of which I don't fully understand), if I  
>> followed that procedure and setup 6 sites (like I have now under  
>> LP8.5), and L9.1 came out I would have to update L9 6x's? Does that  
>> sound a little crazy to anyone but me?
>
> I'm am totally not happy with the way that the "sites" now need to  
> operate and yes it sounds crazy to me. It's like a massive step  
> backwards.
>
> Say I want to host 25 separate websites with different datasources I  
> would need to have 25 Lasso Roots? Apart from being an  
> administration nightmare would this not cause a speed issue anyway?
>
>
> Regards
>
> Stephen Thirlwell
> Black Night Software
> Lasso Hosting and Development
> http://www.ukmachosting.com
>
>
>
>
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

decorior
In reply to this post by Black Night Lists
Should be utf-8 right?

Deco
On Feb 25, 2010, at 9:27 PM, Jolle Carlestam wrote:

> 26 feb 2010 kl. 14.22 skrev Deco Rior (Tennissource):
>
>> Maybe the standard development install will take care of that too
>>
>> :-)
>
> I don't think this has anything to do with Lasso 9 install procedures.
> You have the wrong encoding setup on your test site. This is the  
> output when I test your code:
>
> map: (Hammershaimb)=(array: (pair: (Ármarinn)=(Hammershaimb)),  
> (pair: (Hjörtur)=(Hammershaimb))), (Riley)=(array: (pair:  
> (Björg)=(Riley))), (Skywalker)=(array: (pair:  
> (Halbjörg)=(Skywalker))), (Jones)=(array: (pair: (Krinn)=(Jones)),  
> (pair: (Kjarni)=(Jones)))
>
> Compare to yours:
>>> map: (Hammershaimb)=(array: (pair: (√Årmarinn)=(Hammershaimb)),  
>>> (pair: (Hj√∂rtur)=(Hammershaimb))), (Riley)=(array: (pair:  
>>> (Bj√∂rg)=(Riley))), (Skywalker)=(array: (pair:  
>>> (Halbj√∂rg)=(Skywalker))), (Jones)=(array: (pair:  
>>> (Krinn)=(Jones)), (pair: (Kjarni)=(Jones)))
>
> HDB
> Jolle
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

list
Very right

HDB
Jolle

26 feb 2010 kl. 15.26 skrev Deco Rior (Tennissource):

> Should be utf-8 right?
>
> Deco
> On Feb 25, 2010, at 9:27 PM, Jolle Carlestam wrote:
>
>> 26 feb 2010 kl. 14.22 skrev Deco Rior (Tennissource):
>>
>>> Maybe the standard development install will take care of that too
>>>
>>> :-)
>>
>> I don't think this has anything to do with Lasso 9 install procedures.
>> You have the wrong encoding setup on your test site. This is the output when I test your code:
>>
>> map: (Hammershaimb)=(array: (pair: (Ármarinn)=(Hammershaimb)), (pair: (Hjörtur)=(Hammershaimb))), (Riley)=(array: (pair: (Björg)=(Riley))), (Skywalker)=(array: (pair: (Halbjörg)=(Skywalker))), (Jones)=(array: (pair: (Krinn)=(Jones)), (pair: (Kjarni)=(Jones)))
>>
>> Compare to yours:
>>>> map: (Hammershaimb)=(array: (pair: (Ármarinn)=(Hammershaimb)), (pair: (Hjörtur)=(Hammershaimb))), (Riley)=(array: (pair: (Björg)=(Riley))), (Skywalker)=(array: (pair: (Halbjörg)=(Skywalker))), (Jones)=(array: (pair: (Krinn)=(Jones)), (pair: (Kjarni)=(Jones)))
>>
>> HDB
>> Jolle



--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

decorior
So if the content type of the page is UTF-8 and the page is saved as  
utf -8

and the apache config is :

     AddLanguage da .dk
     AddLanguage nl .nl
     AddLanguage en .en
     AddLanguage et .ee
     AddLanguage fr .fr
     AddLanguage de .de
     AddLanguage el .el
     AddLanguage he .he
     AddCharset ISO-8859-8 .iso8859-8
     AddLanguage it .it
     AddLanguage ja .ja
     AddCharset ISO-2022-JP .jis
     AddLanguage kr .kr
     AddCharset ISO-2022-KR .iso-kr
     AddLanguage nn .nn
     AddLanguage no .no
     AddLanguage pl .po
     AddCharset ISO-8859-2 .iso-pl
     AddLanguage pt .pt
     AddLanguage pt-br .pt-br
     AddLanguage ltz .lu
     AddLanguage ca .ca
     AddLanguage es .es
     AddLanguage sv .sv
     AddLanguage cs .cz .cs
     AddLanguage ru .ru
     AddLanguage zh-TW .zh-tw
     AddCharset Big5         .Big5    .big5
     AddCharset WINDOWS-1251 .cp-1251
     AddCharset CP866        .cp866
     AddCharset ISO-8859-5   .iso-ru
     AddCharset KOI8-R       .koi8-r
     AddCharset UCS-2        .ucs2
     AddCharset UCS-4        .ucs4
     AddCharset UTF-8        .utf8


it should be displaying fine?



On Feb 25, 2010, at 10:28 PM, Jolle Carlestam wrote:

> Very right
>
> HDB
> Jolle
>
> 26 feb 2010 kl. 15.26 skrev Deco Rior (Tennissource):
>
>> Should be utf-8 right?
>>
>> Deco
>> On Feb 25, 2010, at 9:27 PM, Jolle Carlestam wrote:
>>
>>> 26 feb 2010 kl. 14.22 skrev Deco Rior (Tennissource):
>>>
>>>> Maybe the standard development install will take care of that too
>>>>
>>>> :-)
>>>
>>> I don't think this has anything to do with Lasso 9 install  
>>> procedures.
>>> You have the wrong encoding setup on your test site. This is the  
>>> output when I test your code:
>>>
>>> map: (Hammershaimb)=(array: (pair: (Ármarinn)=(Hammershaimb)),  
>>> (pair: (Hjörtur)=(Hammershaimb))), (Riley)=(array: (pair:  
>>> (Björg)=(Riley))), (Skywalker)=(array: (pair:  
>>> (Halbjörg)=(Skywalker))), (Jones)=(array: (pair: (Krinn)=(Jones)),  
>>> (pair: (Kjarni)=(Jones)))
>>>
>>> Compare to yours:
>>>>> map: (Hammershaimb)=(array: (pair:  
>>>>> (√Årmarinn)=(Hammershaimb)), (pair:  
>>>>> (Hj√∂rtur)=(Hammershaimb))), (Riley)=(array: (pair:  
>>>>> (Bj√∂rg)=(Riley))), (Skywalker)=(array: (pair:  
>>>>> (Halbj√∂rg)=(Skywalker))), (Jones)=(array: (pair:  
>>>>> (Krinn)=(Jones)), (pair: (Kjarni)=(Jones)))
>>>
>>> HDB
>>> Jolle
>
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Black Night Lists
In reply to this post by Black Night Lists
This is great Chris will give it a go on our Dev box.

Thanks for posting this, though I still think that there should be an official method rolled into the Admin or as an additional tool by Lassosoft. I like Ke's method too but that has a license issue.

On 25 Feb 2010, at 20:52, Chris Wik wrote:

> Lasso 9 changes this by allowing FastCGI + SuExec. Here's a practical demonstration, on a CentOS 5 server:
>
> in /etc/httpd/conf.d/lasso9.apache2.conf, comment out these lines:
> ---
> #FastCGIServer /usr/local/bin/lassoserver -user apache -group apache -initial-env LASSOSERVER_FASTCGIPORT=8999
> #FastCgiExternalServer /lasso9 -host localhost:8999 -pass-header Authorization -user apache -group apache
> #FastCgiExternalServer /lasso9direct -host localhost:8999 -pass-header Authorization -user apache -group apache
> ---
> and add:
> ---
> FastCgiWrapper On
> ---
> Right after the LoadModule would be a good place.
>
> in /etc/httpd/conf/httpd.conf (or where ever you choose to store your virtual hosts):
> ---
> <VirtualHost *:80>
> # Virtual host config
> DocumentRoot /var/www/user1/public_html
> ServerName user1.localdomain
> SuexecUserGroup user1 user1
>
> # FastCGI config
> FastCGIServer /var/www/user1/lasso/LassoExecutables/lassoserver_shell -user user1 -group user1
> FastCgiExternalServer /lasso9_user1 -host localhost:8998 -pass-header Authorization -user user1 -group user1
> FastCgiExternalServer /lasso9direct_user1 -host localhost:8998 -pass-header Authorization -user user1 -group user1
>
> ScriptAlias /lasso9 /lasso9_user1
> ScriptAlias /lasso9direct /lasso9direct_user1
> </VirtualHost>
> ---
> Here, user1 is the name of the system user, we'll create that next.
>
> Set up the system user:
> ---
> $ adduser -d /var/www/user1 user1
> $ mkdir /var/www/user1/public_html /var/www/user1/lasso
> $ rsync -a /usr/local/lib/lasso/* /var/www/user1/lasso/
> $ chown -R user1:user1 /var/www/user1
> ---
>
> Create a wrapper script for starting Lasso in /var/www/user1/lasso/LassoExecutables/lassoserver_shell:
> ---
> #!/bin/bash
>
> BASE=`basename $0`
> export LASSO9_HOME=/var/www/user1/lasso
> export LASSOSERVER_FASTCGIPORT=8998
>
> touch /tmp/lassoserver.$BASE.log
> chmod +rw /tmp/lassoserver.$BASE.log
> /var/www/user1/lasso/LassoExecutables/lassoserver 2>&1> /tmp/lassoserver.$BASE.log
> ---
>
> Make sure to `chown user1:user1 /var/www/user1/lasso/LassoExecutables/lassoserver_shell` if you created it as root


Regards

Stephen Thirlwell
Black Night Software
Lasso Hosting and Development
http://www.ukmachosting.com







--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Mark Palmer
In reply to this post by Black Night Lists
Awesome post Chris - thanks.



On 25 Feb 2010, at 20:52, Chris Wik wrote:

> Since FastCGI can now launch Lasso Server for you, and FastCGI works with SuExec, this means you can now isolate each Lasso site to an individual system user. This is as opposed to 8.5 which ran all sites under the lasso user.
>
> Example: do a <?lassoscript file_create('test'); ?> in Lasso 8.5. Your file test will be owned by lasso. In order for Lasso to create this file, it needs to have write permissions on a system level to your directory. This either means you need to share a system user id with Lasso, or be in a group together with Lasso and set group-write permissions, or set world-write permissions.
>
> Neither of the above will secure your test file from unauthorized access, truncation or writing by other users on the same server, as other users on the same server will also need to have the same level of permissions on a system level as you have.
>
> Lasso 8 overcame this problem by allowing the Server Admin to limit a Lasso Site's file operations to certain directories. That's fine, until someone uploads a CGI written in some other language to their cgi-bin directory and bypasses this restriction. OK, so you disable cgi-bin, but maybe PHP is installed. What I'm saying is, the architecture made it very difficult to secure a shared server on a system level.
>
> Lasso 9 changes this by allowing FastCGI + SuExec. Here's a practical demonstration, on a CentOS 5 server:
>
> in /etc/httpd/conf.d/lasso9.apache2.conf, comment out these lines:
> ---
> #FastCGIServer /usr/local/bin/lassoserver -user apache -group apache -initial-env LASSOSERVER_FASTCGIPORT=8999
> #FastCgiExternalServer /lasso9 -host localhost:8999 -pass-header Authorization -user apache -group apache
> #FastCgiExternalServer /lasso9direct -host localhost:8999 -pass-header Authorization -user apache -group apache
> ---
> and add:
> ---
> FastCgiWrapper On
> ---
> Right after the LoadModule would be a good place.
>
> in /etc/httpd/conf/httpd.conf (or where ever you choose to store your virtual hosts):
> ---
> <VirtualHost *:80>
> # Virtual host config
> DocumentRoot /var/www/user1/public_html
> ServerName user1.localdomain
> SuexecUserGroup user1 user1
>
> # FastCGI config
> FastCGIServer /var/www/user1/lasso/LassoExecutables/lassoserver_shell -user user1 -group user1
> FastCgiExternalServer /lasso9_user1 -host localhost:8998 -pass-header Authorization -user user1 -group user1
> FastCgiExternalServer /lasso9direct_user1 -host localhost:8998 -pass-header Authorization -user user1 -group user1
>
> ScriptAlias /lasso9 /lasso9_user1
> ScriptAlias /lasso9direct /lasso9direct_user1
> </VirtualHost>
> ---
> Here, user1 is the name of the system user, we'll create that next.
>
> Set up the system user:
> ---
> $ adduser -d /var/www/user1 user1
> $ mkdir /var/www/user1/public_html /var/www/user1/lasso
> $ rsync -a /usr/local/lib/lasso/* /var/www/user1/lasso/
> $ chown -R user1:user1 /var/www/user1
> ---
>
> Create a wrapper script for starting Lasso in /var/www/user1/lasso/LassoExecutables/lassoserver_shell:
> ---
> #!/bin/bash
>
> BASE=`basename $0`
> export LASSO9_HOME=/var/www/user1/lasso
> export LASSOSERVER_FASTCGIPORT=8998
>
> touch /tmp/lassoserver.$BASE.log
> chmod +rw /tmp/lassoserver.$BASE.log
> /var/www/user1/lasso/LassoExecutables/lassoserver 2>&1> /tmp/lassoserver.$BASE.log
> ---
>
> Make sure to `chown user1:user1 /var/www/user1/lasso/LassoExecutables/lassoserver_shell` if you created it as root
>
>
> Now create /var/www/user1/public_html/index.lasso - here's mine:
> ---
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN" "http://www.w3.org/TR/html4/strict.dtd">
> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" >
> <head>
> <title>Lasso Test Page</title>
> </head>
> <body>
> <p><?lassoscript 'Hello, World!'; ?>
> <p>Lasso version: <?lassoscript lasso_version(-lassoversion); ?></p>
> <p>Running on: <?lassoscript lasso_version(-lassoplatform); ?></p>
> <p>Edition: <?lassoscript lasso_version(-lassoedition); ?></p>
> <p>
> Create file:
> <?lassoscript
> file_create('test', -fileoverwrite);
> error_currenterror;
> ?>
> </p>
> </body>
> </html>
> ---
>
> And run it. Result:
> ---
> $ ls -l public_html/
> total 4
> -rw-r--r-- 1 user1 user1 722 Feb 25 21:11 index.lasso
> -rwxr-x--- 1 user1 user1   0 Feb 25 21:36 test
> ---
>
> Nice - 'test' is owned by user1, not by lasso!
>
>
> Aside from the benefits of being able to create and edit files under your own user-id, the new method of creating distinct sites allows users on a shared server to easily and securely:
> * Upload their own LassoLibraries and LassoStartup files
> * Install their own JDBC drivers
> * Configure their own datasources which (to the OP:) Nobody Else Can See
> * Vacuum/upload/delete their own SQLiteDBs
> All with just normal user privileges.
>
> Since the lassoserver process also runs under your own ID, this means a shared server user could potentially even kill and restart his own Site process, without the intervention of a server admin!
>
> Process accounting is also possible, so you can quickly determine and limit CPU cycles of a user to insure quality of service for everyone on the server (ever been in a situation where your site has slowed to a crawl because someone else was hogging all the servers CPU cycles? Not on a big shared provider who runs cPanel? That's because they utilize process accounting)
>
> It's easy to bash LassoSoft for what may well be a slightly premature release of L9. But to criticize the improvements that have been made in the architecture of L9 is in my opinion only due to a lack of research and willingness to learn a new way of doing things.
>
> Sincerely,
>
> Chris Wik
> Anu Internet Services Ltd
>
>
> One PS.: the SQLiteDBs seem to have world-write by default. In the setup I described above, I changed them all to 600 (user read/write, group and world no permissions). This means no other users can access the databases where sensitive information such as datasource credentials are stored. I'm not sure if this is something that should be changed by default, or simply be taken care of by the sysadmin during account setup.
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>



Regards

Mark Palmer
E: [hidden email]
T: 01902 620500
W: www.pageworks.co.uk


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Mark Palmer
In reply to this post by Black Night Lists
What's happened to Fletcher?

On 26 Feb 2010, at 00:38, Jolle Carlestam wrote:

> The development team cut in half with Flethers absence ...



Regards

Mark Palmer
E: [hidden email]
T: 01902 620500
W: www.pageworks.co.uk


--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Trevor Borgmeier


on 2/26/10 11:09 AM Mark Palmer wrote:
> What's happened to Fletcher?
>  
Kerry wrote this yesterday...

on 2/25/10 11:07 AM Kerry Adams wrote:

> <!--  snip -->
>
> Fletcher has been quiet because he's taking some personal time away
> from the front line to address some personal matters within his family
> (but he's still very much a part of LassoSoft).
>
> <!-- snip -->
>
> Cheers,
>
> -Kerry
>




> On 26 Feb 2010, at 00:38, Jolle Carlestam wrote:
>
>  
>> The development team cut in half with Flethers absence ...
>>    
>
>
>
> Regards
>
> Mark Palmer
> E: [hidden email]
> T: 01902 620500
> W: www.pageworks.co.uk
>
>
> --
> This list is a free service of LassoSoft: http://www.LassoSoft.com/
> Search the list archives: http://www.ListSearch.com/Lasso/Browse/
> Manage your subscription: http://www.ListSearch.com/Lasso/
>
>
>
>  

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/


Reply | Threaded
Open this post in threaded view
|

Re: Lasso 9 Shared Hosting Security

Bil Corry-3
In reply to this post by Black Night Lists
Deco Rior (Tennissource) wrote on 2/25/2010 7:28 PM:
> Lasso9 is way more elegant, but lasso 8.5 sure does a nice job too! Plus
> I am sure Bill, Jason,etc. could make my code look much better!

Not sure about 'better' but here's how I would do it in LP8:

=========================================================
[
var('out') = array;
iterate(array('Jones'='Krinn', 'Hammershaimb'='Ármarinn',
             'Jones'='Kjarni', 'Skywalker'='Halbjörg',
             'Riley'='Björg', 'Hammershaimb'='Hjörtur'),var('n'));
  $out->seek($n->name,array)->value->insert($n->value = $n->name);
  $out->find($n->name)->get(1)->value->sort; // optional if you want to sort the first names too
/iterate;
$out->sort;
$out->join('<br>');
]

LP8  =>  pair: (Hammershaimb)=(array: (pair: (Hjörtur)=(Hammershaimb)), (pair: (Ármarinn)=(Hammershaimb)))
         pair: (Jones)=(array: (pair: (Kjarni)=(Jones)), (pair: (Krinn)=(Jones)))
         pair: (Riley)=(array: (pair: (Björg)=(Riley)))
         pair: (Skywalker)=(array: (pair: (Halbjörg)=(Skywalker)))
=========================================================


You'll need to add the following to LassoStartup (+ restart Lasso) use array->seek:

$__PROTOTYPES__->find('__array__')->insert('seek' =
        {
                local('name') = params->get(1);
                local('default') = params->get(2);
                if(self !>> #name);  // doesn't exist?
                        self->insert(#name = #default);
                /if;
                return(@self->find(#name)->get(1));
        });


- Bil

--
This list is a free service of LassoSoft: http://www.LassoSoft.com/
Search the list archives: http://www.ListSearch.com/Lasso/Browse/
Manage your subscription: http://www.ListSearch.com/Lasso/