EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #00934


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Re: Secrurity profile of E-Pirnts


On Thu, 2012-08-09 at 15:58 -0600, Francisco Ralón wrote:
> Dear friends: 
> 
>  
> 
> We have developed a virtual library using E-Prints, and up to now we
> have some 500 records in it.  But now that I thought we are ready to
> put it on line, our informatics manager is questioning what he calls
> “the security profile” of this software.  He wants me to tell him what
> risks we run if we install our virtual library in the institutional
> server.   I am a librarian, not an informatics professional, and I do
> not find any information regarding this issue in the E-Prints website.
> ¿How can E-Prints affect other softwares installed in the same server?
> ¿Can it serve as gateway to viruses, Trojans, etc. which  would infect
> the server?  ¿What other risks might it have?  Are there documented
> cases of problems with security issues that would be helpful to me?  

Hi,

I'm not aware of an occasion when EPrints has been exploited. (Trying
not to tempt fate ...)

As a general rule you have to be able to trust contributing users of the
EPrints system, because there are no restrictions on what a user can
upload (be it malicious or just unwanted).

If you allow (default) admin users to edit configuration files then an
admin user could gain control of your server. You can avoid this by
running EPrints under a non-root Apache process and reverse-proxying it
from a port 80 Apache. Of course you don't want to have your admin
accounts compromised anyway :-)

-- 
All the best,
Tim

Attachment: signature.asc
Description: This is a digitally signed message part