RPGnet
 

Reviews | Game Index | Forums | Press | Wiki | Columns | Store

Security

Good security is a shared responsibility. It's not about risk-- it's about trust, and making sure that visitors see what you made for them, no more, no less. We try to keep private things private while making web things easy for both creators and visitors to find. Thus 'home' and 'web' files are kept separate.

The short summary is "keep mail and other personal/business documents in your home directory, and put only web pages in the "www" directory.

Security on RPGnet has become a stronger concern for us. Security is really a matter of taking trust seriously. This means that visitors to your site see what you put them for them, and not other stuff that you didn't mean for them to see. And, that if someone does try to pry deeper, that they can't, so things you believe are private really are. These two aspects work together so that good security results in better communications and fewer confusions for your work. On our site, this takes the form of four basic points.

  1. Personal files (email and such) are kept separate from web-visible files.
  2. The use of publically-writeable ('shared') directories for scripts, incoming ftp, or web files will be kept to a minimum, and in general each user has access only to their own files.
  3. Periodic security scans will be run on RPGnet by our security sysadmin to make sure there were no intrusions.
  4. Anti-SPAM and anti-hacking procedures will be run. Technically, anti-SPAM isn't a security matter, but we will be implementing blocking filters to try and reduce it.

Of these four points, the only that one directly involves you is the first-- that your personal files (email and such) are kept isolated from the web-visible files. The other points are simply aspects you may wish to be acquainted with, depending on how 'hands on' you feel about security concerns. We believe that informed users are happier and more secure, and are always willing to discuss such points. Ultimately, site security is a combined responsibility of the system administrators and all the users.

On security and cgibin

If you are using HTML forms to pass parameters to system calls or executable programs, please screen out bad variables. For example, if your script returns a number $my_value, and then uses it in the script by running "ls $my_value, this is dangerous if $my_value is not tested. If a user were to input " 2; delete *" into the FORM, this would be passed to your script and execute as "ls 2; delete *". In short, allowing unchecked input can allow hackers to execute commands as if they were logged onto the rpg.net machines.

Fortunately, there are many ways in Perl to check input values. If you have read in a Form value into $my_value and it is supposed to be a number, the line:
$my_value =~ s/[^\d-.]//g;
will screen out all non-numbers (but keep decimal places and negative signs). Similar constructions can be used to (at the very least) strip out any "/" or ";"s from the form, to prevent hackers from gaining access.

Back to RPG Web Services

[ Read FAQ | Subscribe to RSS | Partner Sites | Contact Us | Advertise with Us ]

Copyright © 1996-2009 Skotos Tech, Inc. & individual authors, All Rights Reserved
Compilation copyright © 1996-2009 Skotos Tech, Inc.
RPGnet® is a registered trademark of Skotos Tech, Inc., all rights reserved.