J. Steven Hughes wrote:
> Hi Ryan,
>
> What are the security risks associated with running Longwell? We are
> behind a firewall and need to justify opening a port for outside access.
>
> thanks,
> steve
To follow up on Stefano's advice, there are some general practices
(which you likely know, but they're good enough to bear repeating) and
some application-specific notes to be aware of.
In Longwell, to avoid unwanted data being piped into your repository,
make sure allowAdd and scutter.enabled are both false in your
data.properties configuration file. They both default to false if not
specified.
Generally, one good way to protect yourself is to make sure the servlet
container running Longwell runs under an unprivileged user. Any
potential breach would be restricted to what that user can access -
given that your machine is secured against normal users usurping root
privileges.
--
Ryan Lee ryanlee_at_w3.org
W3C Research Engineer +1.617.253.5327
http://simile.mit.edu/
Received on Fri Mar 11 2005 - 15:53:10 EST