EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #00934
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
[EP-tech] Re: Secrurity profile of E-Pirnts
- To: eprints-tech@ecs.soton.ac.uk
- Subject: [EP-tech] Re: Secrurity profile of E-Pirnts
- From: Tim Brody <tdb2@ecs.soton.ac.uk>
- Date: Fri, 10 Aug 2012 09:13:24 +0100
On Thu, 2012-08-09 at 15:58 -0600, Francisco Ralón wrote: > Dear friends: > > > > We have developed a virtual library using E-Prints, and up to now we > have some 500 records in it. But now that I thought we are ready to > put it on line, our informatics manager is questioning what he calls > “the security profile” of this software. He wants me to tell him what > risks we run if we install our virtual library in the institutional > server. I am a librarian, not an informatics professional, and I do > not find any information regarding this issue in the E-Prints website. > ¿How can E-Prints affect other softwares installed in the same server? > ¿Can it serve as gateway to viruses, Trojans, etc. which would infect > the server? ¿What other risks might it have? Are there documented > cases of problems with security issues that would be helpful to me? Hi, I'm not aware of an occasion when EPrints has been exploited. (Trying not to tempt fate ...) As a general rule you have to be able to trust contributing users of the EPrints system, because there are no restrictions on what a user can upload (be it malicious or just unwanted). If you allow (default) admin users to edit configuration files then an admin user could gain control of your server. You can avoid this by running EPrints under a non-root Apache process and reverse-proxying it from a port 80 Apache. Of course you don't want to have your admin accounts compromised anyway :-) -- All the best, Tim
Attachment:
signature.asc
Description: This is a digitally signed message part
- References:
- [EP-tech] Secrurity profile of E-Pirnts
- From: "Francisco Ralón " <fralon@altiplano.uvg.edu.gt>
- [EP-tech] Secrurity profile of E-Pirnts
- Prev by Date: [EP-tech] Re: Problem with Xapian search
- Next by Date: [EP-tech] Re: Problem with Xapian search
- Previous by thread: [EP-tech] Secrurity profile of E-Pirnts
- Next by thread: [EP-tech] Oracle error inserting into Event Queue
- Index(es):