[Rack] webserver access

Jacob Appelbaum jacob at appelbaum.net
Thu Dec 30 01:59:34 UTC 2010 

On 12/29/2010 05:48 PM, Patrick Keys wrote:
> (benny and Patrick both wrote this posting)
> 

Oh boy...

> On 12/29/2010 5:14 PM, Jacob Appelbaum wrote:
>> On 12/29/2010 05:05 PM, Patrick Keys wrote:
>>> benny and me started setting up a diaspora pod last night on pony.
>>> we should have it finished tonight sometime.
>>> for those interested, diaspora does not require a dedicated vm. but it
>>> does basically require nginx and thinn for its ruby on rails.
>>>
>>
>> You should consider a vm not because it is "required" but because
>> compartmentalization is a reasonable practice.
>>
> compartmentalization is a good idea, but where would we run the vm?
> also, pony is already pwned by everybody.
> 

Actually, I'm not sure it's actually owned by everyone yet. Just enough
people that it earned the nickname pwny...

>>> there was also discussion with others at the meeting last night about
>>> setting up a forum system (like phpbb).
>>
>> Talk is cheap.
>>
> agreed - would install the phpbb myself (or an alternative forum system) 
> if I knew where to install it (which is why I asked).
> we could just use pony for the phpbb.
> 

Please for the love of no gods...

> 
>>> the forum system would be a potential alternative for the mailing lists,
>>> particularly given the discussion list already has way too much traffic.
>>>
>>
>> Subscribe with a digest option?
>>
> digest option doesn't work very well.

What doesn't it do well? Do you mean that the digest option is broken?

Or perhaps that it doesn't work well for your mental threading model..?

I think the option works but perhaps you mean that it doesn't meet your
needs or desires...

> also, can't really post in threads for digest option.

True enough.

> digest option doesn't solve the larger problem of too much traffic.

One digest per day? That's pretty much the exact problem it was designed
to solve.

> 
>>> not sure that pony is stable enough for an official diaspora pod or
>>> official noisebridge forum system.
>>>
>>
>> What does that even mean? official?
>>
> "official" in this case means "only", "preferred", and "central".
> 

So it's not really official at all. Ok...

> 
>>> what do we gotta do to get access to the "real" web server?
>>
>> Run your own web server?
>>
> why decentralize noisebridge infrastructure when the rack is mostly 
> idling all the time.

Centralization is a nightmare for a ton of reasons; not to mention the
security related reasons, it's prone to tons of failures.

> 
>> phpbb, nginx and other crap software will get your box owned quickly.
> In phpBB there are a lot of known issues regarding security and 
> basically you can solve a lot of them using a secure configuration of 
> the PHP installation. Benny is running phpBB3 installations and a lot of 
> other "insecure" software on his server without trouble.
> 

Local code execution on Linux is usually enough to bust root from a
kernel bug or ten.

> in terms of nginx I have to object: I'd rather trust nginx than Apache 
> even thou nginx is the newer one of both. Basically nginx is a fast 
> webserver which is used by a lot of well-known websites. Just labelling 
> it crap because you don't know it is the wrong way to approach system 
> security.
> 

I've audited both - I've found bugs in the core of Apache (years ago)
and I've talked with people who have had a remote root in modern nginx.
I think there's even a hip hop song about remote root exploits for nginx.

I'm not labeling it as crap because I don't know it. Quite the opposite
actually.

I trust apache 2.2.x more than I trust nginx. Have you seen the way that
they parse HTTP requests? Or other aspects of their code? In some ways,
I think it's interesting and in other ways, I'm totally unconvinced by
the "used by a lot of well-known websites" argument.

> Furthermore I'd be more worried about the Diaspora security itself {the 
> source is not of good quality as confirmed by several independent 
> audits}. Also I trust Ruby less than I do for PHP.
> 

I'm _also_ concerned about the Diaspora security issues. It's not an
either/or question - all together, it's a big nightmare.

> Also: Installing Diaspora on Pony is basically the most honest thing to 
> do: "we will publish your private data" - thus being more direct than 
> Facebook in the first place.
> 

Sure. It's still likely to be bad news for the rest of the stuff on Pony.

> BTW: Diaspora runs as a non-root user without sudoers access ... Same 
> with all the other components required to run it.
> 

Except the webserver that binds to port 80 (and perhaps drops privs) or
the setuid/setgid binaries on disk or the chroot that has old openssl
code in it or ten other gotchas.

Put it in a VM or a different host - ask Jof for a VLAN on the switch
and go to town? At least then when you're owned or when it fails, it
doesn't impact everyone else?

All the best,
Jake

More information about the Rack mailing list