This is the first in a series of newsletters, where we talk with Linux experts who will be speaking at the LinuxWorld Conference and Expo, which runs Aug. 14-17 at the Moscone Convention Center in San Francisco.
PHP, PERL and other languages are useful and easy to learn tools that can be used to build some pretty functional Web-based applications. They can also be the bane of a system administrator's existence, especially when slapped together and used to publish Web apps accessible to the outside world.
"Due to the ease that some languages allow people to write Web applications people are throwing Web applications up left and right without any kind of security review," says David Cafaro, a systems analyst for the Advanced Research Computing group at Georgetown University. An example could be something as simple as a Web form on an apps server. If the code is poorly written, or is running on a vulnerable machine, this could allow someone to gain access as an Apache user, Cafaro says. If the Apache server isn't updated, or if an unknown vulnerability exists in the software for example, this could possibly allow someone to get root access to a machine.
"People just have to pay attention to what they're putting up there and realize that it's for the world to see, and for the world to toy with," Cafaro says.
Tools that Cafaro likes that can help lessen the risk of poorly-written Web applications include SE Linux - the Security Enhanced Linux kernel add-ons, developed by the NSA. AppArmor, which Novell owns and includes with its SuSE products, is another. These technologies use polices that limit what applications can do to critical system files and how they access memory and processor resources. But admins must use caution when employing such measures, as policy-based security tools can often break applications that may have worked fine in the past. (An application with a minor bug that violates a SE Linux policy - and subsequently stops working correctly -could cause more immediate trouble for an IT professional supporting the app, Cafaro says.)
"It's always a matter of finding a compromise between a system that is unusable but secure, and a system that is usable but only for so long, until someone breaks it," he adds.
Cafaro is heading the "Open Source (in) Security Panel" on Aug. 16, 3 p.m. to 4 p.m. at LinuxWorld.