There are considerations for security that you need to implement for your GAS
installation in a production environment, such as what directories users can access.
Use the following list to ensure that your Genero application server is properly secured for
users who interact with the GAS, and that users who run Genero applications on the GAS have the
right level of access.
You can simplify your security responsibilities as long as you adhere to good practice around
system security and follow the recommendations outlined here.
-
Limit user access to the machine where the GAS is running.
-
Ensure that the
GAS installation directory
(
$FGLASDIR) and application data (
appdata) directory are protected. You should, at a minimum, restrict
global access to these directories to their owner.
Note: For example, if the user allowed to start
the dispatcher is the directory owner, the permission should initially appear as
"drwx------" in directory listings in UNIX/Linux like
systems.
You will then have to grant additional access to directories based on which administrative tasks
a user needs to perform. For example, a user allowed to start the dispatcher
(fastcgidispatch or isapidispatch) must have read, write,
and execute access to specific directories within $FGLASDIR.
To have different users with different access rights, use groups to organize your users and grant
rights for the groups on the required directories. For example, create a group that can launch the
dispatcher and permission that group accordingly, create a group for users who deploy applications
and permission the group accordingly, and so on. For more details on setting permissions on
directories, see Administrative groups permissioning.
-
In the GAS configuration file (as.xcf), set the LOG element to ERROR and ACCESS
only. The GAS logs may include sensitive or
personal user data gathered during the normal course of running applications; access to these
logs must be managed and protected.
- Restrict access to the Genero demo applications bundled with the Genero BDL
installation. These demos should not be available to users.
Note: By default, access to the demos applications is allowed only to
localhost (
127.0.0.1). If you want to enable it for other client machines / IP
addresses, you must define access in the
ACCESS_CONTROL element. For more information on GAS configuration see
GAS configuration file.
Administrative groups permissioning
The GAS has several types of administrators, and each type of administrator will require access
to different directories within $FGLASDIR. Four Js recommends that you create
groups to represent each type of administrator, allowing you to manage access permissions at the
group level.
Note: How permissions are granted and viewed for a directory will vary according to the operating
system. For example, if read, write, and execute permissions are granted to the owner of the
directory, and read and write permissions were granted to the group to which the directory
belongs, the permission would appear as "drwxrw----" in directory listings in UNIX/Linux-like systems. See your operating system documentation for information
on working with groups and managing file permissions.
These are the administrative types for the GAS; therefore, these also represent the groups you
should create.
- Users allowed to start the dispatcher (fastcgidispatcher or iisdispatcher)
- Grant read, write, and execute permissions to the group for the directories:
- $FGLASDIR/bin
- $FGLASDIR/lib
- Users allowed to administer the dispatcher
-
Grant
read and write permissions to the group for the directories:
- $(res.appdata.path)/log
- $(res.appdata.path)/session
- $(res.appdata.path)/tmp
- Users allowed to deploy Genero applications or services
-
Grant
read and write permissions to the group for the directories:
- $(res.path.app); set to $(res.appdata.path)/app by default.
- $(res.path.services); set to $(res.appdata.path)/services)
by default.
- $(res.deployment.root); set to
$(res.appdata.path)/deployment by default.
- Users allowed to deploy Genero Browser Clients
-
Grant
read and write permissions to the group for the directory:
- $(res.gbc.deployment); set to
$(res.appdata.path)/gbc_deployment by default.