You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lenya.apache.org by ne...@apache.org on 2007/04/25 19:44:57 UTC
svn commit: r532419 - /lenya/trunk/INSTALL-SRC.txt
Author: nettings
Date: Wed Apr 25 10:44:56 2007
New Revision: 532419
URL: http://svn.apache.org/viewvc?view=rev&rev=532419
Log:
added some security information, cf. bug
http://issues.apache.org/bugzilla/show_bug.cgi?id=35786
Modified:
lenya/trunk/INSTALL-SRC.txt
Modified: lenya/trunk/INSTALL-SRC.txt
URL: http://svn.apache.org/viewvc/lenya/trunk/INSTALL-SRC.txt?view=diff&rev=532419&r1=532418&r2=532419
==============================================================================
--- lenya/trunk/INSTALL-SRC.txt (original)
+++ lenya/trunk/INSTALL-SRC.txt Wed Apr 25 10:44:56 2007
@@ -3,7 +3,7 @@
* Prerequisites
* Standalone Installation (using the built-in Jetty)
* Installation with Apache Tomcat
-
+ * Security considerations
Prerequisites
@@ -149,4 +149,20 @@
7. Test the installation by pointing your browser to
http://localhost:8080/lenya/
+
+
+Security Considerations
+
+ It is advisable to run Lenya's servlet container with limited privileges,
+ to reduce the impact of a possible exploit.
+ You might want to create a user "lenya" with default group "lenya" for
+ this, change the rights of the build/ tree accordingly, and start the
+ server as that user.
+
+ Additionally, you might want to consider tightening the write privileges
+ of the servlet container. At run-time, it only needs write access to
+ WEB-INF/* and the publication's content and access-control store.
+ While not strictly necessary, disallowing write access to other parts
+ makes it harder for an attacker to manipulate the system.
+ FIXME: this needs more detailed documentation.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@lenya.apache.org
For additional commands, e-mail: commits-help@lenya.apache.org