Security recommendations for production environment

There are considerations for security that you need to implement for your GAS installation in a production environment, such as what directories users can access.

The following checklist is intended to help you ensure that your Genero application server is properly secured for users who interact with the GAS and that users who run Genero applications on the GAS have the right level of access.

You can simplify your security responsibilities as long as you adhere to good practice around system security and follow the recommendations outlined here.
  • Limit user access on the local machine where the GAS is running.
  • The user allowed to start the dispatcher (fastcgidispatch, or isapidispatch) must ensure that the GAS installation directory ($FGLASDIR) and application data (appdata) directory are protected. Only this user must have read, write, and execute access to the entire directory. For example, this permission would appear as "drwx------" in directory listings in UNIX/Linux like systems.

    If you want different types of users to have some rights, for example users who deploy applications, you can use groups and set their rights on the group of the required directories. For more details on setting permissions on directories, see Setting permissions for groups.

  • Set the LOG element in the GAS configuration file (as.xcf) to ERROR and ACCESS only. You need to protect access to GAS logs, which may include some sensitive or personal user data that is gathered during the normal course of running applications, depending on the log settings.
  • Ensure that the Genero demo applications bundled with the Genero BDL installation are not accessible.
    Note: By default, access to the demos applications is allowed only to localhost (127.0.0.1). If you want to enable it for other client machines / IP addresses, you must define access in the ACCESS_CONTROL element.

Setting permissions for groups

Different types of administrators can have access to different directories in $FGLASDIR. The recommendation is to manage user permissions in the group starting the dispatchers. Apply read, and write permissions for the group on the required directory. For example, this permission would appear as "drwxrw----" in directory listings in UNIX/Linux like systems. This restricts access to users that belong to the group. See your operating system documentation for information on working with groups and managing file permissions.

Users allowed to administer the dispatcher
Set read, and write permissions on the log directory to the group starting the dispatchers:
  • $(res.appdata.path)/log
Users allowed to deploy Genero applications or services
Set read, and write permissions on these directories to the group starting the dispatchers:
  • $(res.appdata.path)/app
  • $(res.appdata.path)/deployment
  • $(res.appdata.path)/gbc_deployment
  • $(res.appdata.path)/service