The most striking lesson I think that anyone can take from the recent apache compromise is this:
The more secure zone should have credentials for the less secure one, not the other way round, and the more secure zone should be responsible for controlling the processes that it is involved in.
This way the less secure zone doesn't have any influence over your more secure stuff.
If you, like me, spend your days making systems interact with one another this is reasonably fundamental stuff. But for those who aren't so paranoid its a lesson well worth heeding.
Danny Angus
blog.killerbees.co.uk
Labels
Friday, August 28, 2009
Don't invert your security!
Thursday, August 27, 2009
Danny strengthens in the Atlantic
Danny has maximum sustained winds of 60 mph (95 kph) early Thursday with slow strengthening expected over the next few days.
Its weird seeing your name used this way, but a great opportunity for toilet humour.
Friday, August 21, 2009
Use http AUTH for control of read and write access to multiple svn repos
I figured this out, and thought I share it, as I couldn't find anything remotely similar on the interweb.
OTOH I'm sure you all know all about this, and there are articles everywhere and I'm just being dumb.
I wanted a password protected svn, with some people read only and others read-write, across multiple repositories.
## your svn url is .../svn/repository/reponame
## first set up the /svn part
## enable DAV svn and require any user from the password file for any action
## this will allow everyone who logs in to do anything
<Location /svn>
DAV svn
SVNParentPath /wherever/svn/repository
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /etc/httpd/dav_svn.passwd
Require valid-user
</Location>
## now for each repo appy a stricter constraint
<Location /svn/infrastructure>
# only members of sysadmin group can access infra repo
AuthType Basic
AuthName "Subversion Infrastructure Repository"
AuthUserFile /etc/httpd/dav_svn.passwd
## create a groups file
AuthGroupFile /etc/httpd/dav_svn.groups
## the only people who can acces this one are the group members
Require group sysadmin
</Location>
<Location /svn/projects>
AuthType Basic
AuthName "Subversion Projects Repository"
AuthUserFile /etc/httpd/dav_svn.passwd
AuthGroupFile /etc/httpd/dav_svn.groups
## only members of commiters group can commit
## but any valid user can checkout and browse
## because we're using limit except to narrow
## the restrictions
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require group committers
</LimitExcept>
</Location>
Neat?
Or weel kent?
Friday, August 07, 2009
at the third stroke it will be 123456789 o'clock
Yes folks, earlier today (I meant to post this then, but you know how it is) it was
12:34:56 7/8/9
this will happen again in 1000 years,
but we can look forward to
6:5:4 3/2/10
and
5:6:7 8/9/10 next year.
Further Reading
-
Is Verisign a monopoly? Does it matter? - Senator Elizabeth Warren and Rep. Jerry Nadler recently wrote a latter complaining that VeriSign overcharges for for .com domains due to its market power...4 weeks ago
-
[ANNOUNCE] Apache NetBeans 18 Released - The Apache NetBeans team is pleased to announce that Apache NetBeans 18 was released on May 30, 2023. What's in the Apache NetBeans 18 release: https://...1 year ago
-
-
ApacheCon Europe 2019 – Day 1 - Plain Schwarz has added a photo to the pool: [image: ApacheCon Europe 2019 – Day 1] Day one of #ACEU19 kicked-off with a Barcamp and a couple of exciting...5 years ago
-
-
Export to JSON from MySQL All Ready for MongoDB - This post walks through how to export data from MySQL® into JSON format, ready to ingest into MongoDB®. Starting from MySQL 5.7+, there is native support ...6 years ago
-
ApacheCon Seville 2016 – Building a Container Solution on Top of Apache CloudStack- Steve Roles - Building a Container Solution on Top of Apache CloudStack- Steve Roles Cloud native applications running in containerised environments look set to create a...7 years ago
-
Nóirín Plunkett - https://www.flickr.com/photos/robertburrelldonkin/5729816462 smiles and socks retreating in co. wicklow now empty whiskey and secrets bar camping in ox...9 years ago
-
Hello world! - Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!9 years ago
-
Debugging MySQL Slow Queries With Many Joins - This week I encountered an issue that I hadn’t seen in a while. The ORM in a CMS project that I work on automatically joins to many subclass tables, causin...11 years ago
-
You’re invited to help us celebrate an unlikely pairing in open source - We are just days away from reaching a significant milestone for our team and the open source and open standards communities: the first anniversary of Micro...11 years ago
-
Boat For Sale - Boat For Sale: Price: £150 Terms and Conditions Oracle reserve the right to alter the web price of this acticle even after purchase. Price does n...18 years ago
-
-
-
-
I know nothing, I'm not a fortune teller, and you'd be insane to think that I am. This disclaimer was cribbed from an email footer I once received. It is so ridiculous I had to have it for myself.
Statements in this blog that are not purely historical are forward-looking statements including, without limitation, statements regarding my expectations, objectives, anticipations, plans, hopes, beliefs, intentions or strategies regarding the future. Factors that could cause actual results to differ materially from the forward looking statements include risks and uncertainties such as any unforeseen event or any unforeseen system failures, and other risks. It is important to note that actual outcomes could differ materially from those in such forward-looking statements.
Danny Angus Copyright © 2006-2013 (OMG that's seven years of this nonsense)