Security recommendations for production environment
There are considerations for security that you need to implement for your GAS installation in a production environment, such as what directories users can access.
-
Limit user access to the machine where the GAS is running.
-
Ensure the GAS installation directory ($FGLASDIR) and application data (appdata) directory are protected. At a minimum, restrict global access to these directories to their owner.Note:
For example, if the user allowed to start the dispatcher is the directory owner, the permission should initially appear as
"drwx------"
in directory listings in UNIX®/Linux®-like systems.Grant additional access to directories based on the administrative tasks a user will perform. For example, a user allowed to start the dispatcher (fastcgidispatch or isapidispatch) must have read, write, and execute access to specific directories within $FGLASDIR.
To have different users with different access rights, use groups to organize your users and grant rights to the groups on the required directories. For example, create a group that can launch the dispatcher and permission that group accordingly; create a group for users who deploy applications and permission the group accordingly; and so on. For more details on setting permissions on directories, see Administrative groups permissioning.
-
In the GAS configuration file (as.xcf), set the
LOG
element toERROR
andACCESS
only. The GAS logs may include sensitive or personal user data gathered during the normal course of running applications; access to these logs must be managed and protected. - Restrict access to the Genero demo web services and applications
bundled with the Genero BDL
installation. These demos should not be available to users. Note:
By default, access to the Genero BDL Demos applications is allowed only to localhost (127.0.0.1). If you want to enable it for other client machines / IP addresses, you must define access in the
ACCESS_CONTROL
element. - Ensure there is no sensitive data in the GAS public directory
($FGLASDIR/web) and in the directory specified by
DOCUMENT_ROOT
. - For secure data exchange, use HTTPS by setting the
SESSION_COOKIE
"Secure" attribute to true:<SESSION_COOKIE Secure="TRUE">
- Limit connection to the dispatcher entry point (port 6394 by default) to a specific server, like
the web server. Configure the dispatcher to only accept connections on one IP address by setting the
LISTEN
element. For example:<LISTEN> <ADDRESS>192.127.45.17</ADDRESS> </LISTEN>
- If using the /monitor URL to view information on the status of the GAS
dispatcher and on active applications, limit access to specific IP addresses by setting the
MONITOR
element. For example,<MONITOR> <ALLOW_FROM>127.0.0.1</ALLOW_FROM> <ALLOW_FROM>192.168.</ALLOW_FROM> </MONITOR>
Note:The monitor page provides access to dispatcher and proxy / VM log files, which may contain some sensitive information. Access to the page must be restricted.
- Ensure users executing applications have access limited to running the DVM and any needed program files and resources. For more information on managing user access rights, see Managing user access rights.
Administrative groups permissioning
The GAS has several types of administrators, and each type of administrator will require access to different directories within $FGLASDIR. Four Js recommends that you create groups to represent each type of administrator, allowing you to manage access permissions at the group level.
How permissions are granted and viewed for a directory will vary according to the operating
system. For example, if read, write, and execute permissions are granted to the owner of the
directory, and read and write permissions were granted to the group to which the directory
belongs, the permission would appear as "drwxrw----
" in directory listings in UNIX/Linux-like systems. See your operating system documentation for information
on working with groups and managing file permissions.
These are the administrative types for the GAS; they represent the groups you should create.
- Users allowed to start the dispatcher (fastcgidispatcher or iisdispatcher)
- Grant read, write, and execute permissions to the group for the directories:
- $FGLASDIR/bin
- $FGLASDIR/lib
- Users allowed to administer the dispatcher
-
Grant read and write permissions to the group for the directories:
- $(res.appdata.path)/log
- $(res.appdata.path)/session
- $(res.appdata.path)/tmp
- Users allowed to deploy Genero applications or services
-
Grant read and write permissions to the group for the directories:
$(res.path.app)
; set to $(res.appdata.path)/app by default.$(res.path.services)
; set to $(res.appdata.path)/services) by default.$(res.deployment.root)
; set to $(res.appdata.path)/deployment by default.
- Users allowed to deploy Genero Browser Clients
-
Grant read and write permissions to the group for the directory:
- $(res.gbc.deployment); set to $(res.appdata.path)/gbc_deployment by default.