svn commit: r532419 - /lenya/trunk/INSTALL-SRC.txt

[ne...@apache.org]

Author: nettings
Date: Wed Apr 25 10:44:56 2007
New Revision: 532419

URL: http://svn.apache.org/viewvc?view=rev&rev=532419
Log:
added some security information, cf. bug
http://issues.apache.org/bugzilla/show_bug.cgi?id=35786

Modified:
    lenya/trunk/INSTALL-SRC.txt

Modified: lenya/trunk/INSTALL-SRC.txt
URL: http://svn.apache.org/viewvc/lenya/trunk/INSTALL-SRC.txt?view=diff&rev=532419&r1=532418&r2=532419
==============================================================================
--- lenya/trunk/INSTALL-SRC.txt (original)
+++ lenya/trunk/INSTALL-SRC.txt Wed Apr 25 10:44:56 2007
@@ -3,7 +3,7 @@
     * Prerequisites
     * Standalone Installation (using the built-in Jetty)
     * Installation with Apache Tomcat
-
+    * Security considerations
 
 Prerequisites
 
@@ -149,4 +149,20 @@
 
    7. Test the installation by pointing your browser to
           http://localhost:8080/lenya/
+
+
+Security Considerations
+
+   It is advisable to run Lenya's servlet container with limited privileges,
+   to reduce the impact of a possible exploit.
+   You might want to create a user "lenya" with default group "lenya" for
+   this, change the rights of the build/ tree accordingly, and start the
+   server as that user.
+   
+   Additionally, you might want to consider tightening the write privileges 
+   of the servlet container. At run-time, it only needs write access to
+   WEB-INF/* and the publication's content and access-control store.
+   While not strictly necessary, disallowing write access to other parts
+   makes it harder for an attacker to manipulate the system.
+   FIXME: this needs more detailed documentation.
 



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@lenya.apache.org
For additional commands, e-mail: commits-help@lenya.apache.org